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1 CROSS REFERENCE TO RELATED APPLICATIONS 

2 The present application claims the benefit of United States Provisional 

3 Application No. 60/161,640, filed October 29, 1999, titled SECURE DATA 

4 INTERCHANGE, and Provisional Application No. 60/206,538, filed May 23, +9992000, 

5 titled SECURE DATA INTERCHANGE, both of which are hereby incorporated by 

6 reference. 

7 

BACKGROUND OF THE INVENTION 

8 1 . Field of the Invention: 

9 The Secure Data Interchange invention describes a system to allow a privacy- 

10 protected market for data exchange between multiple self-interested parties. The system 

1 1 presents a general infrastructure for the exchange of information within a safe privacy- 

12 protected environment, between multiple self-interested parties. We propose a central data 

13 warehouse that maintains data submitted by different users, and executes queries and 

14 programs on the data. Rules are associated with data that define how the data can be used 

1 5 and queried, to allow agents that submit data to maintain absolute control over its use. SDI 

1 6 acts as a trusted-intermediary to all parties, and implements an internal market for queries on 

17 the information, allowing agents to specify prices for data access. Furthermore, SDI 

1 8 supports complex queries such as collaborative filtering, that can provide a querying agent 

19 with a one-time benefit of data access but without long-term access to the data that was used 

20 to compute valuable results. 

21 The invention relates to systems that provide personalized information, profiling, 

22 automated matchmaking and information exchange, providing a framework that protects 

23 privacy and allows information collection and profiling within a carefully controlled 

24 environment. Although the marginal cost of data duplication is small, there are hidden costs 

25 associated with data, for example because of privacy concerns, and data can be a valuable 

26 resource in many problems. In business-to-consumer (B2C) applications Secure Data 

27 Interchange addresses the direct conflict between the goal of personalization and the need 
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1 for privacy, preventing the exchange and collection of information without knowledge and 

2 consent. In business-to-business e-commerce applications (B2B) SDI allows vendors to 

3 provide sensitive and valuable information, for example about business needs and customer 

4 bases, in a secure environment that controls access and leverages value. 
5 

6 2. Description of the Prior Art: 

7 The invention of Secure Data Interchange relates to a wide-range of application 

8 domains, all of which are characterized by a need to exchange information in a privacy- 

9 protected and carefully controlled market-based environment. 

10 As a key application we suggest a system for personalized information delivery in a 

1 1 networked environment, in which the SDI-proxy can fact as a local filter on information, 

12 based on what it knows about a user's preferences and methods for filtering pushed by the 

13 provider of content. The system allows collaborative filtering through information that is 

14 provided to the central data warehouse, but never released directly to other agents; 

15 collaborative filtering methods are computed in the central SDI data warehouse. Further 

16 motivation is provided with reference to some electronic commerce applications, that we 

17 describe in (A) business-to-consumer and (B) business-to-business e-commerce 

1 8 applications. 

1 9 In addition to applications within commerce, the system of Secure Data Interchanges 

20 is central to developing many other new products. Examples include the formation of "self- 

21 help" groups between a set of individuals with common interests, and applications to 

22 personal information delivery systems, e.g. for educational and informational purposes. 
23 

24 A. Business-to-Consumer {B2C) Electronic Commerce. 

25 

26 The recent explosion of electronic commerce, in particular Internet-based individual- 

27 to-business electronic commerce, presents new opportunities for automated personalized 

28 information delivery and the automated customization of products and services. This type of 
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1 personalization is very valuable to vendors because it can increase sales volumes, enable 

2 cross-selling and up-selling of goods and services, and allows vendors to price products 

3 dynamically based on information about the preferences and goals of customers. 

4 Personalization is also useful to customers when it correctly identifies the requirements and 

5 preferences of a customer, because it can reduce search cost and enhance the "shopping 

6 experience". Perhaps a customer can find the good or service (i.e. desirable 

7 price/quality/feature tradeoff) that he/she wants more quickly than without personalization, 

8 or receive information about an interesting new product or service that he/she did not know 

9 about. 

10 The basis for these new services is that hitemet-based "shop fronts" can be 

1 1 individualized on a per-customer basis, dynamically and in real-time. Traditional main-street 

1 2 shops must offer the same store layout to every customer, because the layout is physical, 

1 3 although some level of -personalized service can be achieved through well-trained sales 

14 assistants, that act as a "guide" for a customer within a store. On-line "shop fi-onts" are 

15 virtual, and configurable at negligible cost to the customer or the vendor, assuming that 

1 6 computation is cheap and fast. 

1 7 Furthermore, Internet-based electronic conmierce can allow business to collect vast 

18 amounts of consumer information, because customers interact through a computer-based 

19 interface. Customers can be monitored as they browse a Web site for products and services. 

20 Information such as the search-terms that users enter into a search engine, the links that 

21 users follow, and the length of time spent on each page, can all provide an insight into the 

22 current goal of a customer, i.e. the type of product that he/she wants. When combined across 

23 different sessions, and with similar information about the browsing and purchasing habits of 

24 other customers, die information can be folded into a long-term view of the preferences and 

25 needs of a customer. 

26 Moreover, new network connectivity enables different vendors to exchange profiles 

27 for common customers, either statically or dynamically, in order to build broad and detailed 

28 profiles across vendor domains. There exist many potentially powerful synergies between 

29 the data sets that are collected by different vendors, that can be leveraged to provide 

30 appropriate services and products to customers. When analyzed with the proper statistical 
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1 tools these data sets can reveal fundamental patterns in the behavior of -users, and enable a 

2 vendor to provide appropriate information to a user. Furthermore, access to user-profiles 

3 collected by other vendors can enable vendors to provide focused information delivery to 

4 first-time users, and also cross-market services with other appropriate vendors. 

5 Providing user profile information within a carefully controlled environment can 

6 benefit vendors and users: 

7 o Vendors would find benefit in sharing data with other vendors; this would deepen 

8 their understanding of their customers' behaviors and preferences, especially if some 

9 customers were traceable across several data sets. 

10 o Users would benefit fi-om sharing data with other users. This is already evident in 

1 1 the popularity of news groups and web discussion pages catering to individuals with 

1 2 shared interests. By leaming what other people with similar tastes and preferences 

1 3 have discovered and enjoyed, a user can sidestep information overload in the search 

1 4 for personally satisfying information. 

1 5 o Vendors can benefit from receiving data about users. An obvious example would be 

1 6 in the use of collaborative filtering for the marketing of targeted promotions; rather 

17 than being deluged with coupons and advertisements that are of absolutely no 

18 interest, a user would benefit by being presented with advertising that is highly 

19 relevant. In the process, the vendor would increase advertising response rates, 

20 boosting overall efficiency. 

21 o Users can receive benefits from providing information to vendors. Personalization 

22 of content at vendors' web pages, and well-focused banner advertisements at other 

23 web sites that they visit. 

24 The problem is that a user wants controlled personalization, in the sense that it might 

25 not be desirable for information about every on-line transaction that a user performs, every 

26 on-line document that a user reads, and every web page that a user visits, and demographic 

27 information, to be available to every business that the user interacts with, in the virtual and 

28 physical world. 
29 
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1 A.1 Focused Banner Advertising/Content provision 

2 Internet-based media sites have followed preceding formats in generating revenue 

3 from advertising, with content to users often provided free-of-charge. The business model is 

4 similar to that in newspapers, magazines, and television, where circulation and 

5 audience/readership demographics are used to drive revenue. Electronic media presents new 

6 opportunities for media-based business: for example multimedia techniques and 

7 interactivity, —personalized delivery of information, and personalized targeting of 

8 advertising, 

9 The problem - as before, is to acquire and leverage information about the 

10 preferences and interests of a user, within a system that protects user privacy (i.e. controls 

1 1 the collection and exchange of information about users, and controls the use that is made of 

12 that information). A further problem is to extrapolate information from a large corpus of 

1 3 data about an individual user. 

14 A.2 Mailing Lists 

1 5 As another example, suppose that business A requests a list of individuals that meet 

1 6 a particular criteria. Consumer B meets the criteria, but is only listed for business A if A also 

1 7 meets criteria specified by B, for example if A will provide information about new products 

18 and services that are interesting to B. In an application to the profiling of users on-line, the 

1 9 problem is that users want to receive the benefits of targeted products and advertisements, 

20 but want to avoid the abuse of profile information and control vendors' access to that 

2 1 information. 
22 

23 B, Business-to-Business (B2B) Electronic Commerce 

24 The hitemet provides businesses with network connectivity with other business, 

25 both competitors and partners. This connectivity allows businesses to exchange information 

26 about customers (dynamically or statically), in order to identify potential new customers, 

27 build better profiles for existing customers, and up-sell/cross-sell products and services in 

28 real-time. The problem with this exchange of information (that can include swaps, sells, and 
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1 rental access) is that businesses need to (a) protect the privacy of their customers; (b) 

2 prevent information release to competitors, either directly or through third-parties. 

3 B.1 Privacy-Protected Identification of Synergies/Matches 

4 There are many scenarios where autonomous agents would like to be informed of 

5 matches under conditions of mutual consent, but without information leakage to any agent if 

6 any one of the agents declines the match. Consider two vendors, A and B, and suppose the 

7 vendors seek strategic partnerships with other vendors that have appropriate skills and goals. 

8 However, vendor A does not want to broadcast to all vendors its need for a business partner 

9 or a new alliance, instead vendor A wants to be introduced to another vendor with the right 

1 0 mix of capabilities; similarly for vendor B. What is required is a system that only introduces 

1 1 vendor A to vendor B, and perhaps anonymously at first, if both vendors consent to the 

12 introduction. The problem is to provide information that enables matches, without allowing 

13 bad matches and abuse of information - i.e. within an environment of secure data 

14 interchange. 
15 

16 B.2 Credential-based Introductions, Contracting and Messaging-systems. 

17 There are many situations where individual parties, for example individuals or 

18 businesses, require introductions to credentialed individuals and/or businesses, with the aim 

19 of building a new relationship or making a new contract. Consider for example business 

20 associations, where credentials about non-bankruptcy, and no previous attempts to defi-aud 

21 could be important. Consider social introductions, where individuals might be concerned 

22 about past criminal activities of new contacts. In the domain of automobiles, we could 

23 consider a system that identifies other automobiles in the physical location of a vehicle that 

24 have recently been involved in an accident. The problem is to manage certificates within a 

25 system where users can maintain multiple identities, and to protect the release of certificates 

26 without suitable provisions for terms-of-use and criteria for request. 
27 
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SUMMARY OF THE INVENTION 

1 The above problems are solved, and a technical advance achieved, by the system of 

2 Secure Data Interchange. The Secure Data Interchange system enables information about 

3 bilateral and multilateral interactions between multiple persistent parties to be exchanged 

4 and leveraged within an environment that uses a combination of techniques to control access 

5 to information, release of information, and matching of information back to parties. 

6 The system of Secure Data Interchange (SDI) provides a trusted server containing a 

7 large database of information that is owned by its providers. Each data record has an 

8 associated price rule, that controls access to data. The pricing model allows a data owner to 

9 specify a price for different types and amounts of information access, and whether the 

10 identity of the information owner is required, and the system of SDI computes a composite 

1 1 price for a query based on aggregated prices for a query over a number of different data 

12 owners, with an internal market that favors low priced data. The pricing model allows 

1 3 discounts based on certificates of a requesting agent, and as a special case implements the 

14 standard capability-based access control systems, where information is provided to users 

15 with appropriate permissions (i.e. with zero and infinite prices). In addition, the system of 

16 Secure Data Interchange allows data to be submitted with a level of random perturbation 

1 7 (noise), to provide added privacy protection, or altematively allow an agent to specify in 

1 8 conditions under which additional noise should be added to data. A query is priced before 

1 9 execution, to allow an agent to decide whether or not to execute a query, and select between 

20 altemative types of queries. Binding price quotes are provided to querying agents, and 

2 1 queries can be scaled to meet a budget. 

22 Data owners can submit data to the central data warehouse with different degrees 

23 of identification, for example anonymously, pseudonymously, or with a true identity. For 

24 example, in the case of data that represents a user's profile information, for example 

25 information about the interests of a user, a user might prefer to use a number of different 

26 pseudonyms for different types of activities that he/she likes to engage in online. A user 

27 might maintain a number of different aliases within the database, for example to represent 

28 different types of things he/she likes to do which have little bearing on each other. 
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1 Various types of queries can be executed on the server, ranging from traditional SQL 

2 style queries to collaborative-filtering style queries. The inventions of SDI is not predicated 

3 on the type of queries supported, describing instead a general system to execute those 

4 queries within a secure data-controlled environment. We leave the algorithms that 

5 implements the semantics of a query undefined, but define the -interface between that 

6 algorithm and the data in the database, which is protected with price rules. 

7 A query can perform a considerable amount of computation on records in the 

8 database before any information is provided in response to a query. We allow general 

9 purpose programs to run on the server, that might for example perform collaborative 

10 filtering or other data mining techniques before returning aggregate information, for 

1 1 example a new model of the profiles of users of a particular interest to a vendor. However, 

1 2 the total charge for a complete query session is computed as the sum payment charged by all 

1 3 record pointers that are used in computing the final response. 

14 Furthermore, queries can also take an action on behalf of a querying agent, for 



15 example asking another agent to provide more information about something. We allow 

1 6 queries to be priced, based on a model of "revenue collection", in which the SDI server sells 

1 7 the right to access to data on behalf of the agents that submit data into the database. We also 

1 8 propose to allow "persistent queries", which reside on the server for a fixed period of time 

1 9 and return a response to the querying agent whenever conditions are met in the data. 



20 Interesting variations of SDI place data in different distributed locations, and move 

21 the control of information access between a central SDI server and distributed client-side 

22 SDI proxy agents. This allows different tradeoffs between privacy and information sharing. 

23 It also has implications for bandwidth and computational requirements within SDL One role 

24 of a client-side SDI data warehouse is to provide the same fiinctionality as the central shared 

25 SDI database, but with processing only performed on information provided by that agent. 

26 This can allow greater privacy by allowing a user to retain absolute control over his/her data 

27 on his/her local machine without even releasing data to the shared database. 

28 In an application to personalized on-line interactions, we describe a client-side SDI 

29 proxy which manages a user's interactions with the on-line sites of vendors and also 
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1 manages a user's interactions with the central SDI data warehouse, i.e. providing profile 

2 information and controlling profile access. The client-side SDI proxy for an agent that 

3 represents an individual browsing the hitemet can manage that user's profiles in interactions 

4 with other agents, for example representing vendors and content providers. The client-side 

5 SDI proxy can also handle decisions about what types of information to submit to the server, 

6 and manages query execution on behalf of the agent. The client-side SDI proxy agent can 

7 also push information about a user's on-line activities to the central SDI data- warehouse in 

8 real time. This enables a system of- "time-of-purchase-competition" system, in which a user 

9 can request competitive counteroffers fi"om other vendors before making a purchase. 

1 0 The system addresses the fundamental conflict that exists between rights of privacy 

1 1 and efficiency gains fi-om better bilateral exchange of profile/preference information. SDI as 

12 applied to B2C e-commerce allows consumers to receive targeted information about 

1 3 products and services, but without the loss-of-privacy that can easily occur in the current on- 

14 line profiling "firee-for-all". The cookie technology provided by Netscape to supported 

15 personalized sessions with a single vendor on-line has been used by advertising network 

16 providers such as DoubleClick to track users across multiple sites, often without either the 

1 7 consent or knowledge of that individual [New York Times, Feb 7, 2000], 

1 8 In describing the system of secure data interchange we claim the following novel 

1 9 technical ideas: 

20 (a) Agents can associate price-rules with information that is placed in the central 

21 database, and retain absolute control and ownership over all uses of that data. 

22 As a special case of price rules, the system supports access based on certified 

23 properties of querying agents (with zero and infinite prices). The pricing 

24 model allows information providing agents to receive direct value for data, 

25 and allows agents that request access to information to receive a price before 

26 a query is executed, and make appropriate decisions about what type of 

27 queries to execute. 

28 (b) A number of novel techniques are proposed to allow data processing within 

29 the data warehouse without releasing too much information to an agent. 

30 General programs, for example collaborative filtering techniques, can be 
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1 executed in situ within the data warehouse, so that agents can receive the 

2 aggregate benefits of information, without receiving details about the 

3 information. We might also allow an agent to receive anonymous or 

4 randomized information, and control the amount of information that can be 

5 received from a particular record. 

6 (c) The system of SDI can act as a trusted intermediary between agents, 

7 notifying agents about information of a particular type, and for example 

8 sending messages between agents without breaking the identity of agents 

9 except by consent. A special type of query that we call a persistent query 

1 0 allows an agent to maintain a permanent "searching" presence in the central 

1 1 database, always on the lookout for useful information. 

12 (d) In a key variation we push a small version of the SDI data warehouse onto 

13 an user's client computer, where it acts as a proxy agent, and further proxies 

14 an agent's interaction with other agents in real time. The local SDI data 

15 warehouse, called the client-side SDI database, -is a trusted party to the 

16 client, trusted to maintain information that it is valuable to the client and use 

1 7 that information is appropriate ways. The advantage of this method is that an 

1 8 individual never -needs to release sensitive profile information, it is always 

19 held on its local computer — ^but can still receive the benefits of 

20 personalization. 

21 (e) We also suggest a client-side SDI proxy that can collect information about a 

22 user, for example within an Internet browsing application, and periodically 

23 push the collected information to the SDI data warehouse in a controlled 

24 way. The client-side SDI proxy can also be responsible for certain data 

25 certification functions, and can manage a user's interactions with other 

26 agents to protect its privacy in non-SDI mediated transactions. 

27 As an application to B2C e-commerce, the system of SDI allows client-side personalization 

28 instead of provider-side personalization. Instead of passing profile information to a provider 

29 and receiving personalized information in return, providers can provide personalization 

30 methods that are used interactively with local profile information about consumers to target 

31 products and services without receiving explicit information about a user's profile. In a 
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1 simple form, the vendor provides complete information about its services, and a method to 

2 display them to the user based on his/her local profile. When describing the application of 

3 SDI to electronic commerce we also describe methods to implement necessary ancillary 

4 systems that are essential to supporting full e-commerce functionality within an identity- 

5 protected system, such as systems for pseudonymous payments and physical mailing of 

6 products. 

7 Collaborative filtering based on profiling information fi-om multiple users is 

8 supported within the central SDI data warehouse, but within a system of economic 

9 incentives, where users provide profile information in retum for receiving payments from 

10 vendors for that information. This allows broad network- wide information to be used for 

1 1 profiling, in addition to deep vendor-specific information. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

1 The novel features believed characteristic of the invention are set forth in the 

2 appended claims. The invention itself however, as well as a preferred mode of use, further 

3 objects and advantages thereof, will best be understood by reference to the following 

4 detailed description of an illustrative embodiment when read in conjunction with the 

5 accompanying drawings, wherein: 

6 Figures 1 through 21 illustrate various parts and embodiments of the invention. 



Page 13 of 381 



SUBSTrTUTE SPECIFICATION 



DESCRIPTION OF THE PREFERRED EMBODIMENT 

1 1, Introduction 

2 The invention of Secure Data Interchange (SDI) describes a general infrastructure 

3 for the exchange of information within a controlled environment. We propose a central data 

4 warehouse that maintains data submitted by different users, and executes queries and 

5 programs on the data. Rules are associated with data that define how the data can be used 

6 and queried. As such, the system of SDI prevents the exchange and collection of 

7 information without knowledge and consent. The system allows for payments to be received 

8 by the providers of information, in return for data access. In application, the invention 

9 enables new systems for the delivery of personalized information, profiling and automated 

1 0 matchmaking and information exchange, all within a framework that protects privacy and 

1 1 maintains data security. SDI supports the collection and exchange of information between, 

12 and relating to, autonomous (and possibly self-interested) agents within a distributed 

1 3 environment. 

14 1.1 Definitions. 

1 5 Agent. An agent in SDI is a any party that wants to sell or give away data to other parties, or 

16 buy or receive data, or in general both provide and receive data. Agents may represent any 

17 party with individual goals, autonomy of control, and a persistent identity. Examples in 

1 8 business-to-consumer e-commerce include business such as newspapers, book stores and 

19 travel companies, that wish to receive data about the profiles and buying habits of users so 

20 that they can personalize the information, products and services that are sold to users. We 

21 assume that agents are autonomous from the system of Secure Data Interchange, and follow 

22 actions consistent with their preferences, abilities and resources. Similarly, an on-line 

23 consumer is an agent that wishes to provide data about its preferences and buying habits to 

24 vendors and other consumers, in return for well targeted products and financial reward. 

25 Agent Computers^ Agents are represented in the system of secure data interchange with 

26 dedicated computational resources, agent computers, with permanent memory, processing 
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1 power, and network connectivity. For example, an agent computer might be a consumer's 

2 home PC that will act as a client machine in interactions with the central SDI data server and 

3 the servers of on-line vendors. For a vendor, an agent computer might be the server 

4 computer that it uses to execute its on-line business. Agent computers might also be thin 

5 clients, such as mobile computing devices, handheld devices, cell phones. We push different 

6 amounts of data and functionality within SDI to agent computers and away from web centric 

7 devices depending on the nature of the computer and an agent's preferences. 

8 Certificates^ Certificates are used within SDI to establish trust between different agents, 

9 and to help agents to reach useful agreements. 

10 Profile: Each agent can have one or more profiles, which the agent can assume in its 

1 1 interactions with other agents. Part of a profile is a user's identity, that provides a (possibly 

12 limited) method for another agent to identify the agent in the future when it assumes the 

13 same profile. We allow three types of agent identities: anonymous, pseudonymous, 

1 4 persistent pseudonymous, and true identity. An agent may assume a profile and an identity 

1 5 in any interaction with another agent. 

1 6 o Anonymous. To assume an anonymous identity agent A creates a one-time identifier 

1 7 that it uses in interactions with one other agent. The identifier may allow the other 

1 8 agent to respond zero or one times. 

1 9 o Pseudonymous. A pseudonymous identifier created by agent A may be used with 

20 more than one other agent, and allows agents to respond to agent A as many times 

21 as they like, but agent A can terminate the pseudonym at any time and separate 

22 from the identity. Agent A can optionally restrict the number of agents that may 

23 reply to the pseudonym, for example to the agents that it explicitly provides with the 

24 identifier. 

25 o Persistent pseudonymous. A persistent pseudonymous identifier is created by agent 

26 A for use with agents in set S, and provides the added condition that agent A 

27 promises to use the same pseudonym for all interactions with all agents in set S for 

28 all time into the future. Agent A can optionally restrict the number of agents that 
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1 may reply to the pseudonym, for example to the agents that it explicitly provides 

2 with the identifier. 

3 o True identity. If agent A -interacts with another agent under its true identity then it 

4 has no method to prevent the agent or any other agent responding to agent A in the 

5 future. 

6 The identity that an agent assumes with a profile matters not only to the ability of an 

7 agent to control the agents that can send it messages, but also its ability to control the 

8 amount of information that can be exchanged about the agent in the open marketplace, out 

9 of the agent's control. A basic premise in the system of Secure Data Interchange is to keep 

10 control of data. We provide methods that allow an agent to release data, or performing 

1 1 processing on data, to one agent but prevent that agent from selling the data on to another 

12 agent with which agent A also interacts. For example, one key technique is for agent A to 

13 use a unique pseudonym with every agent that it interacts. This allows an agent (so long as it 

14 is careful not to release other identifying information) to release profile information to other 

15 agents without losing the value of that information, because there can be no secondary 

16 market in the agent's profile. If agent A provides information to agent B, then agent B 

1 7 cannot pass that information onto another agent C and have it still linked to agent A because 

1 8 agent C does not know the identity of agent A among the agents that it interacts with. 

19 An agent's profile contains any and all data that an agent might wish to exchange 

20 with another agent when it assumes a particular identity. However, just because the data is 

2 1 in the profile it does not mean that it is available to another agent. Possible information in 

22 the profile of an on-line consumer includes: transactions that it has performed with other 

23 agents; information that relates to its true identity (e.g. salary range or education level); 

24 information provided by the agent (such as its preferences for a particular type of product, 

25 etc.); and other information that has been compiled based on observing the behavior of the 

26 agent (e.g. physical location for a mobile user, such as a user in a vehicle, or trace of recent 

27 web pages visited for a user that is browsing the Intemet.) 



28 SDI-Proxy: An SDI-proxy refers to the software that runs on top of an agent's computer 

29 device, and configures that device for Secure Data Interchange. The proxy intermediates 

30 interactions between pairs of agents, and also intermediates transactions between agents and 



Page 16 of 381 



SUBSTrTUTE SPECIFICATION 



1 the SDI data server. For example, an on-line consumer might define a profile-management 

2 policy at the client-side SDI proxy that automatically configures the agent's profile and 

3 identity when as the agent interacts with other agents. The profile-management policy 

4 implements an appropriate policy to select the user's profile and identity on the basis of the 

5 information that is available about the other agent (for example fi-om certificates). 

6 

7 1 .2 System Architecture 

8 The basic architecture for SDI is a system of agent computers, connected via a 

9 network (Internet, wireless, or otherwise) to other agent computers, and with a central SDI 

1 0 shared data warehouse. In Figure 1 we illustrate the top-level architecture of -Secure Data 

1 1 Interchange, the networked system of agent computers and a centralized server computer 

12 that acts as a repository for data, rules and code. This is called the SDI data warehouse. 

1 3 Each user is associated with an agent computer, and in general users can be individuals, 

14 groups of individuals, or companies. In its most general form, the system of Secure Data 

15 Interchange is for a system of multiple autonomous agent computers, involved in 

16 multilateral communication. We restrict the system description to bilateral communication 

17 between agents, without loss of generality because any multilateral (multicast or broadcast) 

18 can be implemented as a set of bilateral communications. In any bilateral communication 

19 there are two parties, the sender and the receiver (and the parties can dynamically change 

20 over a communication session). 

21 SDI proxy agents and profile management policies on agent computers mediate 

22 bilateral agent interactions. Agents define profile-management policies that are implemented 

23 on agent computers and determine appropriate profiles and identities for an agent in 

24 interactions. Every time an agent initiates a new interaction, new information is available 

25 about the agent, that can be compiled by the agent's own computer device, and also by the 

26 computer device of the agent with which it interacts. Carefiil profile and identity 

27 management provides an agent with absolute control over the ability of other agents to 

28 profile the agent and exchange information about the agent, for example the agent can use a 

29 unique pseudonymous identifier with every other agent. However, the core of the SDI 

30 invention is that we encourage agents to exchange information, by providing a secure 
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1 central data interchange for that purpose. Agents can submit profile information, and other 

2 data, to the central data warehouse and make it available for particular types of data mining 

3 by other agents, and receive financial reward for providing data. Products and services can 

4 also be targeted for agent A on that agent's computer, without the provider agent receiving 

5 information about agent A's profile. For example, vendor B might provide generic 

6 information about its products to agent A, and a personalization rule that it has constructed 

7 from data mining the central SDI data warehouse. The agent computer of agent A can then 

8 use its local and private profile information to decide what products to target to the agent, 

9 based on the instructions that it receives from agent B. 

1 0 The -arrows indicate possible flows of information between the different elements 

1 1 within the system. We allow agents to communicate directly, -via bilateral or multilateral 

12 communication, -and also indirectly via the central data warehouse. Information can be 

1 3 submitted to the central data warehouse, -for example new data and new rules, or queries 

14 that the data warehouse will execute. The data warehouse returns information to agents, for 

15 example the results of a query. The Secure Data Interchange invention is independent of the 

1 6 implementation details of the communication platform. We assume that the system of SDI is 

17 built on top of a secure communications platform, for example via a SSL-encrypted TCP/IP 

1 8 session in an application to the Internet. Furthermore, we draw on cryptographic techniques 

19 known in the art for identity management, and additional techniques to support 

20 pseudonymous identities within a particular network protocol, e.g. the stripping of sender 

2 1 URL addresses from HTTP packets on the Intemet. 

22 In overview, the top-level claim in the system of Secure Data Interchange, of a 

23 privacy-protected market-based system for data exchange between self-interested parties, is 

24 constructed from the following core components: 

25 o A Central Data Warehouse, with associated price-rules and constraints submitted by 

26 the owners of data. Architectural variations allow virtual links to data in the central 

27 data warehouse, with data physically located in distributed locations. 
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1 o A Query-execution and Price module, which executes queries on the data within 

2 constraints on the types of queries that can be performed, and computes the price of 

3 queries, collecting payment. 

4 and the following optional components: 

5 eDistributed data management, via client-side SDI "proxy" agents, that intermediate the 

6 interactions between agents, and manage data provided to the central SDI data warehouse. 

7 Distributed data management includes methods to manage an agent's identity in interactions 

8 with other agents, for example via pseudonymous and anonymous interactions. 

9 o_ 

10 o Distributed query-execution, via client-side SDI query-execution modules, that 

11 allow data that is physically stored in distributed locations to be queried on 

1 2 distributed nodes, without an explicit release of the data. 

1 3 o Data perturbation methods to augment data values with randomized noise, to allow 

14 queries to tradeoff price and quality, and to allow a user to protect his/her identity by 

1 5 hiding revealing details of submitted data elements. 

1 6 In describing key applications of the system of Secure Data Interchange, we describe 

1 7 in later sections additional features that extend the functionality of the invention: 

18 o Community dollars: an extended payment scheme that allows extended forms of 

19 payment within the system, for example allowing payment to be made in terms of 

20 discounts in purchases from particular vendors, or in retum for agreements to 

2 1 purchase a certain number of products over an extended period of time. 

22 o Within an Internet-browser based system, methods to control a user's browsing 

23 experience via a personalized portal, where personalization is performed via data 

24 mining techniques executed by the system of SDI on data in the central data 

25 warehouse. 

26 o Methods to support anonymous and pseudonymous electronic commerce, e.g. 

27 delivery and payment services. 

28 In the next section we provide an overview of each of the central SDI data 

29 warehouse, which forms the core component of Secure Data Interchange. We then add 

30 technical details for specific components, to make our ideas more concrete. 
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1 

2 1.3 Implementation Details 

3 In this we describe some of the core technologies known in the art that would be 

4 used to build up an implementation of the SDI system. The technologies span areas in 

5 cryptography, for pseudonym management, digital certificates, payment mechanisms, 

6 etc.; -and information theoretic-methods, for example to protect the identity of the 

7 originator of a message by routing messages through local "crowds" of agents. 
8 

9 1.3.1 Certificate Management 

10 Cryptographic techniques well-know in the art [Chaum 81; Chaum 85; Chaum 91] provide 

1 1 the ability for a certificate to be linked to an agent's identity, and not transferred to other 

12 agents. This is the basic functionality required of a certificate management system. For 

1 3 example, a certifying agency can sign the public key of an agent with the private key of the 

14 certifying agency, to indicate that the agent satisfies requirements for certification. Another 

15 agent can verify the certificate with the public key of the agent and the public key of the 

1 6 certifying agency. The certificate cannot be transferred to another agent unless that agent 

1 7 assumes the same public key. We assume a public key infi-astructure to manage this process. 

18 1 .3.2 Support for Anonymous and Pseudonymous Identities 

1 9 We have already noted that it is important to provide whatever additional support is 

20 required because of the imderlying communication infrastructure to protect agents' profile 

21 management policies. For example, in the TCP/IP mechanism a message must be stripped of 

22 the network address of the originating Intemet server, because this can provide information 

23 to allow pseudonyms to be linked. Similarly, messages can be routed through a common 

24 gateway or random "forwarders" as in the "CROWDS" system- [GGMM98; RR98] to 

25 provide pseudonymity. Furthermore, other e-commerce fiinctions, such as payment and the 

26 anonymous mailing of goods must be supported (see [INSERT A FORWARD REF TO A 

27 LATE SECTION OF BOTTOM-LEVEL SDI DOC]). 

28 The ability to embed data within web pages allows client-side processing of 

29 information. By embedding profile and location information directiy within a web document 
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1 we can alleviate the bandwidth and computational bottlenecks that can occur at a centralized 

2 profile server if profiles are fetched on-the-fly when web pages are downloaded by clients. 

3 The origin server (supported by the vendor) requests periodic profile updates fi*om the 

4 central SDI server. This duplication of information enables the profile and the page contents 

5 to be provided directly from a vendor's server. 

6 There are some potential drawbacks of this approach: (1) the profile information 

7 associated with a web page and target objects can be out-of-date; (2) the profile information 

8 is available to all clients and proxy servers, not just those that are SDI-enabled; (3) the 

9 profile information can be altered. We suggest technical solutions to each of these problems 

1 0 below. 

1 1 In one variation of SDI the profile of a user is maintained on the user's client, and 

12 partitioned into separate profiles for each pseudonym that a user chooses to maintain. 

13 Personalization of products and services (product types, prices, etc.) is performed at the 

14 client, through the execution of trusted code that is embedded as a Java applet or as 

1 5 JavaScript within the web document of a vendor. In this way a vendor never receives access 

16 to the profile of a user, but is nevertheless able to personalize its response to users, even 

1 7 when a user first visits a site (on the basis of the profile for a user from his/her previous 

18 online transactions). Profiles for the target objects of a vendor that enable appropriate 

19 objects (representing particular products, or news stories for example) to be presented to a 

20 user are embedded as XML data within the vendor's web document. 

21 In another variation of SDI personalization is not performed at the client, but either 

22 at the ISP-level SDI proxy server or the vendor's server. The location and other profile 

23 information that relates to a user are pushed to the ISP-level proxy or vendor server when a 

24 user requests a web page. In the same way as XML allows profile information about web 

25 sites and vendor products to be associated with a web document, and profile information to 

26 be provided from the central SDI server to a vendor, XML can be used to encode a user's 

27 profile. The system of SDI allows for profile and location information to be randomized 

28 slightiy (and even anonymized) to protect the identity of a user, for example when an ISP- 

29 level proxy is not trusted. 
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1 1 .3.3 Maintaining the Integrity and Security of Messages 

2 The privacy of information in transit between servers and clients can be assured 

3 through standard end-to-end cryptographic solutions that establish a secure session prior to 

4 any data exchange, such as Secure Sockets Layer (SSL) that uses X.509 certificates and is 

5 supported by current browser technology. 

6 In order to prevent the possibility of individual users being bribed by vendors to 

7 disclose target object profile data which reflects this type of information, users should not be 

8 provided access to directly decrypt the metatags for these portions of the target objects 

9 profile data, but rather this decryption and release of profile data should be performed 

10 securely in conjunction with the fixnctions of the profile processing (profile matching 

1 1 module) upon the client level proxy server rather this decryption and release of profile. 

12 In addition, we prevent unauthorized access of embedded profile information 

13 through the encryption of the metadata that is represented within the XML structure of a 

14 web page. 

1 5 Profile information can be encrypted using a hierarchy of keys, so that different 

1 6 levels of access to the information may be provided according to the access levels of users 

1 7 and vendors. All users that request web pages fi^om SDI-enabled vendors, whether or not the 

18 user is a member of SDI receive the same profile information. We provide encrypted 

19 profiles to vendors in the Trofile Update' messages fi"om SDI to vendor servers, so that: (a) 

20 unauthorized agents cannot tamper with the profiles; (b) the profiles cannot be read by 

2 1 unauthorized agents. 

22 The SDI system supplies a private key to trusted SDI client sofl:ware, that enables 

23 only SDI-enabled clients to access profile information, and only access that information to 

24 the extent permitted by privacy policies of users and vendors. Different levels of encryption 

25 enforce multiple levels of access. Periodically the key pairs are changed to prevent 

26 extended attempts at cryptographic attacks. The SDI system uploads the key that provides 

27 the correct level of access for a user to a user's client, once terms of access and profile 

28 management have been agreed. A client can only access embedded information once 
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1 enabled with a relevant key. Finally, profile information is signed with a digital certificate, 

2 to prevent third parties fi'om tampering with profiles for commercial gain. 



3 2. Core Modules 

4 Figure 2 illustrates the core modules within the system of Secure Data Interchange. In this 

5 section we briefly describe each module in relation to the other modules, and provide more 

6 details in later sections. 

7 The central SDI data warehouse is the core system in SDI, managing data records on 

8 behalf of agents. In combination with the query-execution module, these two modules 

9 implement the privacy-protected market for query-execution, where queries are executed: 

10 o If the querying agent has the right certificates, as defined by the owner of data 

1 1 o (and) If the querying agent pays the cost of performing a query 

12 Furthermore, the system of SDI implements an internal market, with queries 

1 3 executed as cheaply as possible, within quality constraints provided by a querying agent. 

14 The eBank module in SDI collects payments, and allows those payments to be transferred to 

1 5 external bank accounts, or used in part payment for products and services to SDI-enabled 

16 vendors. 

1 7 We allow the central SDI data warehouse to be replicated and/or partitioned across a 

18 network, for example a small single-user SDI data warehouse can be situated at a user's 

19 client machine to allow vendors to provide personalized products and services without 

20 releasing personal information (e.g. profiles). The rules that personalize products are 

2 1 queries, which can be executed in the SDI proxy on a user's machine. 

22 The central data warehouse acts as a repository for data submitted by agent 

23 computers on behalf of users. Consider, for example, data that represents user profiles (i.e. 

24 what types of books they like to read, what there political interests are, etc.), or data that 

25 represents business rules (i.e. what type of customer a business is seeking, what types of 

26 products it offers, what type of strategic agreements it is looking to make with other 

27 businesses, etc.) 
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1 The data repository contains information submitted by agents to the central data 

2 warehouse. It is not necessary that a single agent links all information submitted by one 

3 agent, because agents can submit information anonymously or pseudonymously. Although 

4 agents submit data to the central shared warehouse they maintain key aspects of ownership 

5 of that data, but without minute-by-minute management of the data, hi particular, providers 

6 of information provide the central SDI warehouse with a certain amount of autonomy to 

7 control how the information is used: the types of uses that are permitted, the type that are not 

8 prohibited, and what types of rewards (financial or otherwise) are required for access to the 

9 information. The system of SDI, in the access that it allows to information in the database, 

1 0 acts as a trusted agent for information. One role of SDI is to protect the identity of an agent 

1 1 that requests and provides information— allowing agents to remain anonymous when that is 

12 desirable. We outline in this description the key technical solutions with which this is 

1 3 achieved. 

14 The data is heterogeneous, best represented within an object-oriented database 

1 5 system. Each data object is associated with an accessor function, which describes the syntax 

16 of vaUd queries on a particular type of data, and executes queries. As data types become 

1 7 standardized, we could suppose a library of standard accessor functions for different data 

18 types, perhaps provided by third parties. For example, a special data type could be 

19 developed to represent the profiles of online customers. As part of query execution 

20 therefore, is the execution of methods associated with heterogeneous types of data. Of 

2 1 course, we can also describe a simple special case where the data types are more transparent 

22 to SDI, and data fields are directly indexed as in standard databases. 

23 Agents can submit queries to the SDI data warehouse, these are placed in the 

24 pending queries queue if they are one-time and to be executed as quickly as possible, or in 

25 the persistent queries queue if they are to be executed periodically, as the data in the 

26 repository changes. The query execution module contains the processor that performs 

27 instructions on behalf of agents, within the constraints of price rules. 

28 Price rules are associated with data records. Price rules compute a charge for 

29 requested information about the data record. We describe a number of simple price 
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1 languages, to allow an owner of information to configure access to the data. In general the 

2 price rules can be quite complex, and implemented within an object-oriented framework, so 

3 that the system of SDI is expandable to new data types. The query-execution module can 

4 execute both the methods to access data in objects, and the methods to price access to data. 

5 In performing query execution, we suggest some techniques to minimize the price paid to 

6 perform a query — for example we implement a simple intemal marketplace where the data 

7 records with the smallest price are selected, with all other things equal. 

8 As a special case, prices can implement the standard capability-based access control 

9 systems, such as those in UNIX, where a user must possess the necessary properties to read 

10 information. A price $0 corresponds to permission to access information, while a price 

1 1 Sinfinity prevents a user from reading information. The price rule computes a price for 

12 accessing information based on a number of factors: the properties of the requesting agent, 

1 3 as demonstrated with certificates; the information requested; and whether the identity of the 

14 owner of the information is revealed to the requesting agent. SDI enforces the price rules, 

15 with payment collected from agents before the results of queries are reported. SDI allows an 

1 6 agent to contribute information to the shared database but maintain control over access to 

17 the data. Price rules can also specify different prices based on the degree of random 

18 perturbation that is performed on data before a query is executed. This can protect the 

19 identity of the owner of information but still allow valuable information to be provided in 

20 response to a query. 

21 The system of SDI also expands the possible space of agreements through 

22 anonymity techniques and through random perturbation of data. Agents can provide 

23 information anonymously or pseudonymously, or with their true identities revealed. 

24 Furthermore, agents can charge less for information provided anonymously than for 

25 information provided under a revealed identity. Meta-information associated with data can 

26 also specify whether the information has been certified by a third-party, or whether it has 

27 been randomized slightiy before placing in the SDI data warehouse. 

28 The data repository is linked to the query-execution module, that performs queries 

29 that are queued to be executed in the pending queries queue. We allow queries to be general 
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1 programs, an extension from the simple queries that are found in SQL-based database 

2 languages. The key novelty is that the query-execution module can maintain intermediate 

3 results, for example pointers to records selected as part of intermediate queries. In a standard 

4 database there is more of a separation between data access and data processing, with data 

5 accessed, pulled outside of the database, and then processed. We allow data to be accessed 

6 and processed in the database, with results pushed to clients. This is has useful privacy 

7 properties, because less information is finally provided in response to a query. It is very 

8 useful in the space of secure data interchange because it expands the set of agreements that 

9 can be reached between providers of information and requestors of information. 

10 Data manipulation is via record pointers, which are one-time and anonymous 

1 1 pointers to data records. We associate a single query (possibly a complex query, i.e. a query 

12 program) with a query session. A record pointer is a temporary identifier for a record that is 

1 3 selected. The pointer allows persistent queries to be performed on the same record during a 

14 single query session, but is not valid in other sessions. The same data record might be 

1 5 accessed multiple times during a single session, and with multiple record pointers when the 

16 accesses are independent (i.e. when the querying agent does not know that it is requesting 

1 7 information of the same data record). Provisional payments are tallied against each record 

1 8 pointer, and relate to the degree of information provided about that record. For example, 

19 consider the problem of finding a set of profiles of a particular type. As the search is 

20 performed over data records in the database the query-execution module assesses a 

21 provisional payment, as records are accessed. However, the requestor of the information 

22 only pays the sum payment charged by the records that are actually selected as suitable. The 

23 owners of the data records that were not selected in the final result returned to the user 

24 receive no payment, because no information about their data was released and the 

25 information was only used in intermediate processing steps. This is important, because it 

26 makes it unnecessary to formulate queries carefully in order to avoid extra cost because of 

27 redundant intermediate steps. 

28 Complex queries, including query-programs, with intermediate results and 

29 anonymous record pointers expand the space of data manipulation in a system with 

30 providers of information that are more willing to release information if that information is 
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1 never made directly available to another agent except in aggregated system-wide terms. An 

2 agent might be willing to allow submitted data to be used for data mining applications so 

3 long as the data remains in the trusted data repository. The central SDI server can provide 

4 standard types of query-programs, stored in the SDI-methods module, for example methods 

5 to perform collaborative filtering. 

6 The query-execution module also performs persistent queries that are submitted by 

7 agents to be executed when particular conditions in the data repository are true. Persistent 

8 queries check for certain information to reside in the data warehouse, and notify a requesting 

9 agent whenever these conditions exist, perhaps automatically making an action. 

1 0 The pricing module is responsible for pricing queries before execution. The basic 

1 1 problem is to aggregate the charge over all data records that provide information to form 

12 part of the result of the query, and to estimate the price of a complex query without 

1 3 performing the query. We suggest a simple top-level query language to allow a user to price 

1 4 quality-cost tradeoffs in the query that is finally executed. For example, statistical techniques 

15 can be used to compute aggregate statistics without accessing all data records in the 

16 database. To give another example, a query can be performed on the basis of accurate 

1 7 information or on the basis of slightly randomized information. The pricing module reports 

1 8 a price to a requesting agent, and then allocates payment to appropriate agents in the e-Bank 

1 9 if and when a query is actually executed for a user. 

20 The e-Bank is a module that maintains a balance of payments received for each data 

21 entry in the warehouse, one balance for each of the unique SDI identifiers with which an 

22 agent submits information. 

23 There can be multiple accounts for a user in the case that the same person or 

24 company submits information under multiple IDs (see below). 

25 The communication module receives messages fi*om agents. Agent messages can be 

26 updates about information or access rules in the data warehouse, information received fi'om 

27 the owner of data. Messages might also be new queries. The module also sends messages to 

28 agents, for example messages that indicate the results of an instruction are available, or to 
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1 send messages that are generated by instructions from other agents and consistent with the 

2 rules associated with an agent's profile. The module also chooses an action to perform based 

3 on messages received, i.e. processes incoming messages and either discards them, places 

4 them in the appropriate location if they are a query, or updates the data and rules when a 

5 message contains new data. 

6 The following sections describe each of the key components in turn. 

7 3. Data Repository 

8 The data repository in the SDI data warehouse is a general-purpose database that 

9 stores information submitted by agents. Multiple agents submit information, each of which 

1 0 retains control over access to their data. Access to information is controlled via the price 

1 1 rules that an agent specifies when providing information. The SDI query execution module 

12 enforces price rules, collecting revenue from requesting agents before providing results. The 

13 system of SDI allows users to receive economic benefits from information, and realize 

14 synergies — in a controlled environment. SDI implements an internal market for 

1 5 information^ such that data records with the best price are used in queries, given a number of 

1 6 records that satisfy other requirements. 

17 For example: SDI can be used to store the profiles on online customers, to allow 

18 vendors to better personalize services and identify market opportunities and to allow 

19 customers to receive value for their profiles; SDI can be used to store job offers and job 

20 applications, where job offers can contain salaries that are only revealed to applicants with 

21 suitable qualifications. 

22 SDI is designed to allow users to submit many different types of information, from 

23 many different sources, and for many different purposes. The application is particularly 

24 useful when it becomes a de facto data repository for lots of different types of information, 

25 information that can in fact be analyzed for the purpose of extracting patterns and other 

26 usefiil data (e.g. with collaborative filtering techniques). However, we provide three key 

27 variations in the following description, which are not necessarily exclusive. 
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1 LA single unified database, with information residing on a central server (or a 

2 number of central servers). We describe tv^o possible implementations for such a 

3 heterogeneous database, one XML-based and another object-oriented model. 

4 2. Multiple databases, partitioned into "data types". For example, one SDI database 

5 might contain profiles on online customers, while another database might contain 

6 information about job offers and job applications. This type of database can be 

7 implemented using a standard "indexed-field" representation. Again, the 

8 information resides on a central server (or a number of central servers). 

9 3. Distributed data, with some data residing on a central server, and some data 

10 physically located on distributed servers (e.g. on the servers of vendors that 

1 1 subscribe to SDI), but with virtual "hyper links" from the central server to give 

1 2 one unified view of the data. 

13 The key over-riding problem is one of data representation, the way in which 

14 information is encoded. We describe a general infrastructure for information exchange, and 

1 5 do not mean to limit the description to any one type of data. Furthermore, the system of SDI 



16 should be expandable, so that new data types can be introduced, hi this specification the 

1 7 type of information in the Secure Data Interchange shared data warehouse is not constrained 

18 in any way, but may include for example user profiles (e.g. preferences, recent purchases, 

1 9 etc.) or business services (e.g. costs for services, service capabilities, etc.). 

20 One approach is to use a single native SDI ontology, which is expanded as 

21 necessary. It would be the responsibility of providers of information in altemative forms to 

22 provide "translation services" to convert local data formats into the SDI native data format. 

23 A typical technology to support a shared ontological representation is XML (Extended Meta 

24 Language), which allows a grammar to be defined for a document, with meaning embedded 

25 in tags. The trend towards XML-based applications should facilitate a shared ontology 

26 structure, and allow metainformation to be associated with information and describe data. 

27 XML allows intelUgent integration of data from multiple databases. 

28 Alternatively, we can allow data to be stored in heterogeneous formats across a 

29 single unified database, within an object-oriented infrastructure. Each data object has a 

30 "wrapper" that controls access, and provides an interface for queries. When a query is 
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1 executed, the method is invoked, and the result computed with the method and the data. 

2 This is perhaps more efficient than the aforementioned approach, in that efficient data 

3 formats are query structures are retained. 

4 3.1 Data Structure 

5 In this section we describe the structure of the records in the SDI database. The next 

6 section describes the interface that allows user agents to submit data and update information. 

7 The data repository has the following key features: price rules are associated with 

8 information, to control access to information on the basis of information requested and 

9 properties about the requesting agent; meta-information to specify additional information 

1 0 about data records, for example has the information been certified by a third party. 

11 We describe the abstract structure of data records in the data repository. The 

12 semantics of the data field and the price rules depend on the type of information. All data 

1 3 records, whatever the information that they represent, contain the following elements: 

14 1. Owner ID. 

15 The owner ID is a three-tuple (Public Key, -SDI identity code, -Remote address). 

16 The public key is provided by an agent that submits data, and is one half of a 

1 7 public/private key pair in a public key based cryptographic infi-astructure. The public 

18 key is used to provide authentication of the agent, in case it wants to amend the 

19 record in the future. The agent can submit a message signed with its public key to 

20 prove its identity. An agent can use a different public key for each alias that it 

21 maintains within SDI. The SDI identity code is a unique code, generated by SDI for 

22 each agent alias, and provided to an agent to allow the agent to access the eBank and 

23 other ancillary SDI services, for example to collect payments received for access to 

24 the data. The remote address is an (optional) contact address for the agent that 

25 submits the information, for example an email address to a pseudonymizing module 

26 that will forward email to the agent under a number of different aliases. 

27 2. Record ID. 

28 The record ID is generated by SDI, and is used in the case that a user creates a 

29 number of different data records with the same owner ID. 
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1 3. Data object. 

2 As noted above, we allow data in SDI to be of different types, and a general data 

3 object might be represented in an internal coding that is not known to SDI. Such an 

4 object must provide an accessor function to allow queries to be performed. The 

5 query-execution module takes an object and invokes the accessor methods to perform 

6 a query. In the most general form, a data object is represented as a three- tuple: (data 

7 type, data field, data accessor). The data type specifies what the type of data is, for 

8 example is it a user profile or a business rule. The data field specifies the data, and 

9 can be a private record that is only accessed by the accessor, which provides an 

10 interface to allow queries of the correct format for the data type to be performed. 

11 In a simple special case, with data types designated by SDI centrally and data 

12 indexed with fixed fields, a data object is more appropriately represented as an 

13 association list between field names and values, e.g. (Fieldl, Valuel), (Field2, 

14 Value2), etc.. 

15 4. Price rules. 

16 The price rules provide the owner of information with control over the type of queries 

17 that can be performed on a particular data record. The price rules compute an ask 

18 price for a proposed query, on the basis of three pieces of information: what type of 

19 information, and what accuracy of information is requested; -what certificates can the 

20 querying agent present; can the information be provided anonymously or must the 

21 identity of the owner of the information be revealed? As special cases, a price $0 

22 corresponds to "access is possible for fi-ee", and a price Sinfinity corresponds to "no 

23 access is possible". The unit of currency need not be US dollars, but can be any unit 

24 of currency, or as we also suggest in one usefiil variation "Community Dollars" that 

25 are SDI-specific dollars which can only be spent with vendors that are registered with 

26 SDI, and can also be restricted in various ways. As a special case, the prices allow a 

27 simple capability-based security system, -because they can be set to $0 or Sinfinity on 

28 the basis of certificates owned by an agent that requests information. The price-rules 

29 are described in more detail in the next section. 

30 5. Meta-information 
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The meta-information associated with a data record is expandable, but at present we 
suggest the following pieces of information: is the data is randomized, and is the 
information certified? The method of random data perturbation is fully described later 
in this document. Certification can be provided by third-parties, who can verify for 
example the age or nationality of an individual represented with an electronic profile. 
We provide more information on metainformation below. 



7 3.2 Price Rules 

8 The price rules that can be associated with a data element are described in the next main 

9 section, the Query Execution Module section. The user associates a rule with data that the 

10 system uses to compute the price of a query during query execution. The price is further 

1 1 used within SDI to operate a data marketplace. Again, this is described in the next section. 

12 The user will eventually pay the total price for its access to all data elements used to 

1 3 compute the final response to a query; for example negative responses do not incur a price, 

14 it is only data that actively makes it into the process of computing the result of a query that 

1 5 matters. 

16 __We describe in the Query-execution module section the methods that are used to 

1 7 determine which data elements are used to compute the final response made to an agent, and 

18 therefore to compute the sum price for the final query. An agent is not charged for every 

19 access to data elements made during intermediate stages of executing a query. For example, 

20 if a query requests information about ten data records with high value associated with a 

2 1 particular field, the price of the query is the cumulative price for the access to the ten data 

22 records retumed in response to the query, and not for all the data records queried in 

23 determining the ten records to retum. 

24 In general, a query of a data record can be part of a larger query session, as discussed 

25 in the section on query execution. Within a larger query session, the same data record might 

26 be queried a number of times, for example with a large compound query split into a number 

27 of steps with continual execution contingent on continued correct responses. E.g. Select 

28 records of type A, then from those records select records of type B, then from those records 

29 select records of type C... In this case, because price rules might be non-linear in the 
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1 amount of information provided, it is important to provide a price-rule method with 

2 information to allow it to track a sequential query. 

3 As discussed in more detail in the next section, the system of SDI handles this by 

4 generating temporary and anonymous pointers to data records, that are valid only for a 

5 single session, and allow a price-rule to track sequential queries. The data record pointer 

6 allows the history of queries to be recovered, and a new price to be computed on the basis of 

7 total information provided. Similarly, this is important when a query might collect a lot of 

8 information about a data record and then request the identity of the agent that provided the 

9 information to SDI. The cost of revealing an agent's identity (and therefore allowing a 

1 0 secondary market in its information) might well increase with the amount of information 

1 1 that has already been released. 

12 Similarly, in some cases the same data record might be accessed on multiple 

13 occasions, but independently, such that the environment performing queries does not know 

14 that the data record is the same record from before. E.g., select records of type A and extract 

1 5 information with rule B, then select records of type C and extract information with rule D. A 

16 single record can be of type A and of type C, and therefore be selected for information 

17 extraction in both cases. In this case, each independent sequential query (i.e. A, B and C, D) 

18 has a set of data record pointers, so that the cost of extracting information is computed 

1 9 independently for any record that has type A and type C. 

20 Here is a simple example of a non-linear pricing function, that accounts for 

21 cumulative information that has been provided to a requesting agent. Suppose that any 

22 sequential query receives a temporary and anonymous pointer to a data record, that is only 

23 useful in the current query session. The data record pointer allows the price rule to 

24 implement a non-linear pricing rule. For example, consider the query 'what is the value of 

25 field A, B and C, split into queries 'what is the value of field A', then 'what is the value of 

26 field B', then 'what is the value of field C? The pricing rule might state: 

27 $0. 1 for any one of A, B or C 

28 $0.2 for any pair of A, B and C 

29 $10forallof A, BandC. 
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1 In this case, by tracking the data record pointer with which a data record is 

2 accessed, the price of the first two requests can incur an incremental charge of $0.1, 

3 while the price of a third request can incur an incremental charge of $9.80. 

4 At a per data-record level the price of a query depends on the response made to 

5 the query. This is important because an affirmative answer to the question 'are you the 

6 president of the united states' carries more information than a negative answer. This has a 

7 slightly undesirable side-effect, in that when estimating the price of a query in the pricing 

8 module, the estimated price of a query might leak information about the result, even 

9 without performing the query. However, we believe that the benefits of linking price to 

1 0 information content in a query outweigh this potential loss in value of information. Note 

11 in particular, that in general the ask prices associated with data records are private 

12 information and independently set, and therefore are not very revealing, especially within 

1 3 a competitive market place. 

14 3.3 Data Submission/Update Methods 

15 In this section we describe the basic methods to register with SDI, submit data, 

1 6 update data records, and access payments collected by SDI as information is queried. We 

17 use "agenf to refer to the computer system that interacts with the central SDI data 

1 8 warehouse, submitting data and requesting payment fi*om the eBank. Agents may represent 

1 9 individuals, vendors, or other self-interested parties. 

20 Data records can be submitted under multiple aliases by a single agent, to provide an 

2 1 additional level of control and flexibility in managing data submitted to SDI. For example, if 

22 an agent represents an individual that is an online consumer, interacting with different types 

23 of vendors, then perhaps the agent will use two aliases: one for while the consumer is at 

24 work, and one for while the consumer is at home. Alternatively, the agent can maintain a 

25 number of identities for different activities, or interests of the user. In the preferred 

26 implementation agents, for example web-browser based client agents, can manage an 

27 agent's selection of identities as it submits data to the central SDI warehouse local to the 

28 user. The ability to submit information under multiple identities protects the ability of an 

29 individual to prevent another agent building a complete picture about its preferences and 

30 profile, while still allowing that individual to leverage as much of the value associated with 
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1 its information as possible. The SDI proxy agent, situated on user's client machines, 

2 implements this functionality. It is described later in this patent. 

3 A standard cryptographic public key /private key infrastructure provides a useful 

4 technique to implement a system in which agents can maintain different aliases. As 

5 proposed in the work of D. Chaum [Chaum 81; Chaum 85; Chaum91] a public key (PK) 

6 and private key (SK) serves a number of purposes. First, the public key acts as an identifier 

7 for the alias, a name. Second, the agent can compute a new private key/public key pair when 

8 it requires a new alias. The agent keeps the private key secure, and this provides a method to 

9 allow the agent to validate its identity, for example by cryptographically signing a message 

1 0 with the private key. The signature can be verified with the public key, and the keys can be 

1 1 selected with enough bits to make falsification a computational impossibility. This 

1 2 infrastructure is outside of the current patent, but standard in the art. 

13 As described in the JANUS/LPWA system [BGGMM 97; BGGMM 98; GGMM 

14 98], it is also possible to associate a public/private key pair with a pseudonymous e-mail 

1 5 address, to allow information to be pushed to an agent that owns information under its alias. 

16 The system is implemented via pseudonymous proxies which a user agent to poll and check 

1 7 for new messages. 

1 8 An alias can also be completely anonymous, but in this case the value of the data 

19 provided may be less in the internal market place implemented within SDI (in the query 

20 execution module). The convention for an anonymous alias is that the user agent continues 

21 to provide a public key, and use a private key for validation of its identity. However, in this 

22 case the public/private key is one-off and just for this data record, and no return address is 

23 provided. An agent that submits information anonymously can still recover payments from 

24 the eBank. 

25 When a data record is first created SDI returns a data ID, so that the agent that 

26 submits information can specify a particular data records in future, in case it creates a 

27 number of data entries in the central SDI data warehouse. Submitting a new data record to 

28 the SDI data warehouse is accomplished with the following semantics: 
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1 (SDI identity code, SDI record ID) - SUBMIT( alias, data object, price rule, 

2 metainformation). 

3 The following protocol is followed in the SDI data warehouse in response to a 

4 SUBMIT message: 

5 1 . SDI first checks the alias against its record of existing aliases. If the alias exists, then SDI 

6 first verifies that the alias is not anonymous (in which case it should only have one record), 

7 and then challenges the agent to sign a random message with its private key — to validate its 

8 identity. Once validated, the SDI identity code is returned to the agent. Otherwise, if the 

9 alias is not found, then a new SDI identity code is created. 

10 2. SDI then creates a new data record, with the data object, price rule, and 

1 1 metainformation provided by the agent, and then computes a new record ID, which is 

12 also returned to the agent as proof that the record has been created. This record ID is used 

1 3 to change the data in the future. 

1 4 The owner of a data record can change the record with the following rules: 

15 Ok = CH ANGE(alias, record ID, data change) 

16 Ok = CHANGE(alias, record ID, price change) 

17 Ok = CHANGE(alias, record ID, metainformation change) 

1 8 As with the SUBMIT command, first the SDI data warehouse checks that the alias 

19 exists, and challenges the agent that submits the CHANGE request to sign a random 

20 message with its private key, to validate its identity. Then the record ID is located, and 

21 again it is verified that the record is owned by the agent with the alias. Finally, changes 

22 are made to either the data record, the price rules, or the metainformation. If everything 

23 checks out, then SDI returns TRUE, otherwise SDI returns FALSE. 

24 Finally, an owner of data can remove a data record with the following command: 

25 Ok = REMOVE(alias, record ID) 

26 The checks on the identity of the agent that requests that a data record be deleted 

27 are made as for the CHANGE command. 
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1 3.4 Meta-information 

2 An agent can associate meta-information with a data record, that can serve -a 

3 number of different purposes. Data records can be tagged with meta-information, that can 

4 include but is not limited to. Has this information been randomized? Certificates relating to 

5 the data record. For example, the meta-information might be a certificate from a third party 

6 about the integrity of information, or a certificate fi-om an agent's client-side SDI proxy 

7 agent that the information in the record is unique, and not submitted under any other aliases 

8 by that agent. 

9 A key example of the role of a certificate is described later in the patent, where we 

1 0 explain how the client-side SDI proxy can provide a certificate to state that this is the only 

1 1 data record with information X This is usefiil, because it allows an agent that submits 

12 information to maintain multiple records, but still provide a guarantee to querying agents 

1 3 that certain valuable information is not duplicated across multiple records. 

14 The meta-information may be associated with particular fields in the data 

15 associated with a data element, for example specifying that a particular piece of 

16 information has been randomized, or that a particular piece of information is highly 

1 7 sensitive and should be randomized before release. 

18 4. Query Execution Module 

19 The query execution module is a key component of the SDI system. Its key 

20 functionality is: 

21 a. Implement an internal market for information as queries are executed, ensuring 

22 that information that is provided for a lower ask price is used in preference to 

23 information at a higher ask price. 

24 b. Compute the price of queries based on information finally provided in response to 

25 a query, by keeping track of the data records that are used to compute a result. 

26 c. Interface with the pricing module to allow the price of a query to be computed 

27 without executing the complete query. 

28 d. Interface with the data repository, performing queries either on fields with fixed 

29 index labels (i.e. within a traditional database framework), or with respect to an 
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1 object-oriented framework with queries performed by invoking methods that are 

2 associated with data. 

3 e. Monitor conditions for the persistent queries, and provide a response to a query if 

4 conditions are satisfied. 

5 A central part of the invention of SDI is the method to compute the price of a query as it is 

6 executed. We described the semantics of price rules, -which price access to data. They are 

7 defined by the owner of information. The SDI query execution module implements an 

8 internal market for queries, and ensures that queries are executed at minimal cost to agents. 

9 The SDI query execution module is also responsible for collecting revenue on behalf of 

1 0 owners of information. 

1 1 We describe this methodology in this section, describing how the total price of a 

1 2 query is computed, as a sum of the price charged by the owners of data records that provide 

1 3 information which contributes to the final response. 

14 The query execution module follows a protocol to execute queries: 

15 1 . Request_For_Price(Query, Agent_Certificates) 

16 2, Estimate Price with call to the Pricing Module 

17 3. Price_Quote(Quote_ID) 

18 4. Request_Query(QuoteJD) 

19 5. Get_Payment() 

20 6. Execute the Query 

21 7. Report_Answer() 

22 In step (1) an agent makes a request for a query to be priced, stating the query, and 

23 providing certificates to allow the query to be priced, hi step (2) the query execution module 



24 makes a call to the pricing module, and a price for the query is computed (described in the 

25 next section). In step (3) the agent receives a price quote, and can then decide whether or not 

26 to execute the query, and also a query ID. In step (4) the query execution module receives a 

27 request to perform the query, and then in step (5) requests payment from the agent. When 

28 payment is received the query is executed (6), and appropriate payment is credited to agents 

29 that provide information, scaled to make the budget balance as necessary (in the case of an 

30 over or under price quote). Finally, the response to the query is provided (7). 
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1 4.1 Price Rule Semantics 

2 Each data record has an associated price rule that controls the price of accessing 

3 information. A data record can contain a number of different pieces of information, and data 

4 can be provided to different degrees of accuracy, so the price rule can be quite complex in 

5 general hi particular, consider a data record that represents the profile of an individual. The 

6 individual might be happy to have information released about some fields, for example its 

7 ZIP code, or its recent book purchases, but less happy to have information released about 

8 different fields, for example its salary or social security number. Clearly, different pieces of 

9 information within a single data record require different prices. 

10 Furthermore, a price rule for the data record as a whole might need to be 

1 1 superadditive across data elements, such that it becomes very expensive to request too much 

12 information about data associated with the same user. One of the driving concerns behind 

13 the present invention is that at present it is possible for on-line vendors to collect 

14 information about a single individual via "cookies" (identifying codes which are left on a 

15 user's client machine), and form a portfolio of information about variotis activities and 

1 6 preferences of that individual. 

17 While information about an individual might be acceptable in small amounts, in 

1 8 large amounts the same information can soon become unacceptable. Furthermore, even if 

1 9 users release information anonymously in response to a query, if a lot of information is 

20 released the identity of the user can be compromised. Every additional piece of independent 

2 1 information that I state about my profile identifies myself a little more clearly, and acts to 

22 distinguish me fi"om the profiles of other individuals. We discuss this further in a later 

23 section on random data perturbation, which describes how random noise can be added to 

24 data to counteract this effect. 

25 The basic idea is that the system of SDI allows a user to associate a price rule with 

26 every data record, that computes the price that a user must pay to execute a query over that 

27 data. We allow the price to vary, depending on properties about the requesting agent, the 

28 amount of information requested, and tiie level of identification that is required of the owner 

29 of the information in responding to the query. 
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1 The abstract form of a price rule for a data record is a function: 



2 (-Information-request x Certificates x Level-of-identification ) ^ Price 

3 Given a request for information, a set of certificates that a requesting agent can present, 

4 and the level-of-identification that is required of the agent that provides information (i.e. 

5 anonymous, or revealed identity), then a price rule computes an ask price. This is the 

6 price that an agent must pay to execute the query on the data record. 

7 However, as we describe in the next section, an agent only actually pays this price 

8 if the information provided is used to compute information in the final response provided 

9 to a query. For example, consider query "Select all data records close to record X". The 

10 query is most simply executed by computing the distance between each record and record 

1 1 X. Although a negative response from a record that is not close to X provides some 

12 information about that record, the information is not used to compute the information (i.e. 

13 set of records) that is finally provided in response to the query. 

14 As in the representation of heterogeneous price rules in SDI, the invention of SDI 

15 allows heterogeneous methods to compute prices for queries. In the most general case, 

16 we allow a price rule to be computed as a price method, which is invoked for a data 

17 record before a query is to be performed. The query-execution and pricing modules 

1 8 simply invoke the price method, and the data object provided by an agent retums a price 

19 for the query. In this most general version, the role of SDI is limited to providing the 

20 price method with the query, the certificates of the requesting agent, and the level-of- 

2 1 identification that is required. 

22 In a simpler variation the system of SDI can provide a number of default price 

23 rule languages, which allow a user to specify in simple but quite flexible terms a price 

24 schedule for queries. We describe two such rule languages: an uncertainty-based additive 

25 price rule; and a grouped additive price rule which is a simplified version of the general 

26 uncertainty-based rule. 

27 The uncertainty-based additive price rule allows a user to adjust the price for a 

28 query based on information about the requesting agent, the amount of information 

29 requested, and whether the information is required anonymously or with a revealed 

30 identity. It does not allow a non-linear coupling across the price of information about 

31 multiple attributes, but instead includes a simple upper-bound on the amount of 
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1 information that can be requested. Such a non-linear coupling could be added with simple 

2 interaction terms between the prices on elements, for example if - information about 

3 more than half of the elements in this set is released, then add price term L". 

4 4.1 .1 An Uncertainty-Based Additive Price Rule 

5 The uncertainty-based additive price rule allows a querying agent to present a 

6 certificate to prove that it is entitled to query a user's data for free, or prove that it is 

7 entitled to receive data at a price. If a querying agent can present no certificate from 

8 either set, then it is not allowed to query the data. 

9 Then, a user can define two different price rules, one for data revealed 

1 0 anonymously, and one for- data revealed with an identity. A price rule computes a price- 

1 1 term for each data element that is queried, with the total price for a query computed as the 

12 additive sum of all single element terms. The price for a query on an individual element 

13 is a linear function of the uncertainty with which the information is provided. For 

14 example, if a query requests the exact value of an element there is zero uncertainty, if a 

1 5 query requests a range of values for the element, or a 'value + random perturbation' there 

1 6 is some residual uncertainty, and we allow a user to associate a cheaper price with this 

17 result. The uncertainty is normalized with respect to the population of data elements in 

18 the SDI data warehouse, e.g. an uncertainty of 10% indicates that the reported 

19 information is consistent with 10% of data elements in the database. 

20 The price-rule is parameterized with the following information for each data 

21 element (or set of data elements, if a user chooses to associate data elements with a type): 

22 o A set of certificates that allow a query to be performed for free. 

23 o The price of an accurate response 

24 o A function to compute a discount from the accurate price, based on the 

25 uncertainty of the response. 

26 There are many possible discount functions, that include but are not limited to the 

27 following: 

28 © A linear price discount functions, such that 100% uncertainty corresponds to a 

29 discount equal to the accurate price. In this case, the user must only provide the 

30 price for an accurate response. 
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1 o A step price discount function, where the level of discount is associated with a set 

2 of discrete uncertainty ranges, e.g. <10% no discount, 10 — 30% receives a 20% 

3 discount, and 30-100% receives a 70% discount. 

4 o A quadratic price discount function, where the level of discount is associated with 

5 a quadratic polynomial function of the uncertainty, in this case a user needs to 

6 specify a number of intermediate discount points and SDI can compute a best-fit 

7 quadratic function. 

8 Stage 1 : Present a Certificate (Price-discrimination) 

9 First, the querying agent can present a certificate to allow it to query information for free, or 

10 to allow it to query the data for a payment. If the agent can present no such certificate, then 

11 it is not allowed to access the data. 

12 Assume that the requesting agents falls into one of three classes: it presents 

13 certificates to make its access free, it presents certificates to make access possible at a 

14 price, it presents certificates to make access impossible (infinite price). Let Free denote 

1 5 the set of certificates that allow a query to be performed for free, and Charge denote the 

16 set of certificates that allow a query to be performed for some charge. The failure to 

17 present certificates in either class indicates that an agent is not permitted to query the 

1 8 information. We do not suppose that the presence of a certificate can indicate a negative 

19 property, because there is no method to force a querying agent to provide a certificate. 

20 We also assume that agents must present the same certificates to access all data elements. 

21 It is trivial to relax this assumption. 

22 Stage 2: Specify the type of information required. 

23 Second, the querying agent specifies whether it is required that the information be 

24 provided along with the identity of the owner of the information. Assume that the agent's 

25 identity is either revealed (with a real or pseudonymous identity), or anonymous. The 

26 price required for particular types of information will vary with the level of identification. 

27 Stage 3: Select the appropriate price rule; Compute sub-prices. 

28 The "cross-product" of the certificate (i.e. free, price, or none) and the level-of- 

29 identification (i.e. anonymous, revealed) triggers a price rule. We allow the owner of the 

30 information to associate a price rule for each combination of certificate and identification, 

31 and with each data element. Many simplifications, for example "no access with no 
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1 certificate" and labeling data elements in a class, and providing a price rule for a class of 

2 data elements are possible. 

3 Without loss of generality, we can describe the price rule for a particular data 

4 element, and a particular cross-product of certification and identification. The price-rule 

5 contains a base-price, which is the price for accurate information about the data element, 

6 and a discount-factor, which reduces that base price by an amount related to the level of 

7 uncertainty in the response. 

8 A query might permit a response that includes a level of uncertainty, for example: 

9 o Is the value of the data field greater than a threshold value? 

1 0 o What is the range of values in which the value lies? 

1 1 o Compute an additive noise perturbation, and respond with a "value plus noise 

12 perturbation". 

13 The randomized perturbation technique, which allows the agent to return randomized 

14 information about its true value, is disclosed later in this patent. For simplicity, we can 

15 assume that any non-exact query can be associated with an uncertainty-value, which is 

16 computed based on the proportion of the population of data elements that can have values 

17 within the accuracy of the response. The system of SDI can compute this uncertainty- 

18 value, perhaps approximately based on static statistics computed on a periodic basis over 

1 9 information in the database. 

20 For example, SDI might assume that values are uniformly distributed between the 

21 lower and upper values over the population of data elements, and compute uncertainty as 

22 the fi-action of values within the range indicated in an agent's response. Suppose that all 

23 data records have values between 0 and 100, then a query 'is x > 70' has residual 

24 uncertainty 30/100 (normalized) if it receives a positive response or 70 /1 00 if it receives 

25 a negative response, while a query 'what is your value of x' has zero uncertainty for all 

26 responses. 

27 Assume that the uncertainty value is between 0 and 100%. The discount factor, 

28 discount(X), is computed as a function of the uncertainty X, with a larger uncertainty 

29 leading to a larger discount. 

30 Price(Q) = Base-Price(Q) - discount (Uncertainty(Q) ) 
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1 where Q defines the query that is to be executed on the data element, for example "what 

2 is the value of the data element", or "does the value of the data element lie within this 

3 range of values". The value Uncertainty(Q) is a measure of the residual uncertainty in 

4 the agent's value for the field after making a response. A simple discount function is a 

5 linear function, for example 

6 discount(Q) = Q * Base-Price 

7 such that an uncertainty of 0% receives no discount, while an uncertainty of 50% receives 

8 a 50% discount. A simple extension might add a multiplier, value between 0 and 1, to the 

9 discount term — so that the discounted price is always greater than zero. As discussed 

1 0 above, other more general functions are possible, e.g. non-linear and step functions. 

1 1 Stage 4. Compute total price. 

12 Finally, the total price of a composite query, query = Q_l, Q_2, Q_N, is 

13 computed in this additive price-rule as the sum of the component prices, where it is 

14 possible that different certificates are required for each element that is queried, as 

15 described by the price-rules for each individual data element. Note, however, that if any 

16 one of the queried elements can not be priced because the querying agent cannot present 

1 7 a certificate in the set Free or Charge for that element, the price of the complete query is 

1 8 * "infinite", and cannot be performed. An agent that breaks a query into a sequence of sub- 

1 9 queries could perform all queries that do not relate to that data element, but then the first 

20 query that relates to that data element is blocked. 

21 4,1 .2 Grouped Additive Price Rule 

22 The grouped additive price rule allows a number of simplifications to the basic 

23 additive uncertainty-based price rule described above. It is designed to allow a user to 

24 define less information in order to specify a price rule for all of its data in the SDI data 

25 warehouse. The basic idea is to group data, so that data elements of the same type can 

26 share the same price rules. We propose data sensitivity types, where each data element of 

27 the same type has the same price function. 

28 Furthermore, this can be used on combination with very simple price functions, 

29 that compute one of four prices: 

30 o Zero price, if an agent presents a Free certificate. 
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1 o Low price, if an agent presents a Charge certificate, and requests information with 

2 a High degree of uncertainty. 

3 o High price, if an agent presents a Charge certificate, and requests information 

4 with a Low degree of uncertainty. 

5 o Infinite" price, if an agent cannot present a Charge certificate. 

6 Different price functions can be defined for anonymous and revealed-identity. 

7 The price rule has the following components: 

8 a) A set of certificates that allow data access for free. 

9 b) A set of certificates that allow data access for some charge. 

10 c) A list of price- functions, each defined with two prices for revealed-identity and 

11 two prices for anonymous identity. The pairs of prices are for accurate 

12 information, and approximate information (with a minimal level of 

1 3 approximation). 

14 d) A mapping of data elements to price- functions. 

1 5 Again, the price of a fiill query is computed as the sum price over all information 

16 requests to all data elements. 

17 4.1 .3 Superadditive Price Rules 

18 We can allow a non-linear interaction between the price of queries on individual 

19 data elements with the introduction of additive interaction prices, which are fired when a 

20 threshold is exceeded for the total amount of information released over all data elements 

21 accessed in the same query. This is a simple approximation to a more general 

22 combinatorial price rule, which would price all combinations of data access terms 

23 explicitly. For example, a rule could state: "If more than T data elements are accessed in 

24 set Sensitive then add a "bundle price" L to the total sum price of the query."; or: "If the 

25 total weighted access to data elements in set Sensitive exceeds threshold T _U then add 

26 bundle price L J to the total price of the query"; -where the weighted-access is computed 

27 with weights equal to the degree of uncertainty associated with queries on elements. 
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1 4.2 Computing the Price of a Query 

2 A query can be quite complex, involving a number of operations on data stored in 

3 the data repository. Call a query session -a sequence of operations performed in response 

4 to a query, and before the answer is returned to the agent that submits the query. 

5 A general query specifies a program that operates over data stored in the data 

6 warehouse. All queries are of the form: 

7 A = SELECT records with property XI ; 

8 PROCESS records in A with method Yl ; 

9 B = SELECT records in A with property X2; 

10 PROCESS records in B with method Y2; 

11 C = SELECT records with property X3; 
12 

13 i.e., a general query is a sequence of select and process commands, where process 

14 commands are specified over temporary record pointers that are returned by SELECT 

1 5 commands. A temporary record pointer is valid only in a particular query session. 

16 Properties define Boolean conditions that are computed as the result of requesting 

17 information fi-om a data record. For example, 'is your distance to record X < 0.1', or 

18 'have you purchased a flight in the past month', etc. Methods define computational steps 

19 that are performed with record pointers. For example, 'if your salary > $40,000 then 

20 compute the similarity between your profile and the profile of record Y% etc... Both 

21 methods and properties may be executed by calls to accessor methods that are associated 

22 with data in the case of a database with heterogeneous data and an object-oriented 

23 methodology to access information. 

24 One possible syntax for a language to structure such a query could be loosely 

25 based around C++ or Java, with commands to be invoked as methods of data objects 

26 specified with object oriented notation. The language could be quite general purpose, but 

27 made consistent with the SDI database with a clear separation between the data in the 

28 repository, and the state of the query program. 

29 Access to data is tightly regulated, via data record pointers. Data record pointers 

30 are analogous to variable pointers in C++, and allow a query program to manipulate data 

3 1 and perform general operations on data records. Data record pointers in SDI provide a 
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1 key role, because they ensure that access to information is controlled, according to price 

2 rules that are associated with data. We maintain a single copy of data on a secure server, 

3 and pass dynamic and temporary pointers around while data is processed. A clear 

4 separation is maintained between the data and the state of the program that executes 

5 queries. 

6 Each query session is associated with a table of data record pointers. The table 

7 records valid data record pointers, that can be referenced in later query operations, and 

8 the current price of queries performed with the data record: 

9 Data Record Pointer | Current price 

10 I 

11 PJ I $0-10 

12 P_2 I $0.20 
13 

14 The SDI query execution module performs another key book-keeping service, recording a 

15 list of data record pointers that have been used to compute a result in the program that 

1 6 executes a query. 

17 For example, suppose that set PS contains a list of data record pointers, and a 

1 8 subsequent query operation makes the following command: 

1 9 count = Count(PS, 'property X') 

20 which can be interpreted as "count the number of records in set PS with property X". The 

21 query-execution module maintains a table of variable accounts, which records the data 

22 records that were used to compute a result: 

23 Variable Name | Associated data record pointers 

24 1 

25 _count I P_l, P_4, P_6 

26 _tmp I P_3,P_8,P_10 
27 

28 Whenever the value of a variable is computed from the values of a number of 

29 existing variables, then the list of data record pointers is the union over the data record 

30 pointers which were used to compute the values of the other variables. 



Page 47 of 381 



SUBSTITUTE SPECIFICATION 



1 Eventually, when a result is reported at the end of the execution of a query, the 

2 price of the query is the sum of the requested payment for the data record pointers that 

3 were used to compute the information provided, as stored in the table of data record 

4 pointers. 

5 Figure 3 illustrates the method diagrammatically. We maintain a "firewall" 

6 between data and the state of the query execution, with all access to the values in data 

7 records via data record pointers, and invoking price rules associated with data records. 

8 On the query-program side we maintain a table of data record pointers, and the cost of the 

9 cumulative information received from that data record under that pointer, and a table of 

10 variables and the data record pointers which were used to compute the values in the 

1 1 variables. 

12 All manipulation with the values of variables on the "query-side" of the data 

13 firewall can be performed with no additional data-access charge, because data access 

14 charges are only incurred in computing values of variables, when that -directly or 

1 5 indirectly requires that additional information be collected about the data records. 

16 The only charges are incurred when the processor receives information. This 

1 7 information might be in the form of a number, that represents the count of records with a 

1 8 particular property, aggregate information in the form of a new collaborative filter, or raw 

1 9 data extracted from data records. 

20 For example, SELECT operations are fi-ee until information in the data record is 

21 used to compute the value of something which is used in computing the final response 

22 returned in answering a query. A charge is accounted for against the data records which 

23 are queried and selected, but that charge is only levied if information is used. 

24 4.1 .1 Internal Market within the Query Execution Module 

25 The data side of the firewall is also responsible for performing the cheapest 

26 queries possible. For example, if there is a request to retrieve 100 data records with 

27 property X, then the database retrieves the data as cheaply as possible based on the 

28 access-control rules of the owners of the information in the database. 
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1 All operations are implemented within an internal market. The internal market ensures 

2 that information is provided according to the price rules associated with data records, and 

3 also places providers of data in competition with each other. 

4 The system of SDI implements an internal market, with queries executed as 

5 cheaply as possible. Both the SELECT and the PROCESS commands allow an associated 

6 restriction on size, e.g. "SELECT 100 records with property X", or "PROCESS 10 of the 

7 records with data pointers in list XI with method Y". 

8 In one greedy variation, each stage of a sequential query is executed as cheaply as 

9 possible. For example, for each operation the query is implemented by choosing the 

10 cheapest data records that satisfy the criteria. For example, the records that are selected 

1 1 are the 100 cheapest records to query that satisfy property X, and the 10 records in XI 

12 that are cheapest to process with method Y are selected. 

13 This greedy method is not necessarily optimal for a sequence of queries, for 

14 example when the records that are cheapest for the current query are more expensive for 

15 a later query. Another variation allows a set of records to be maintained, with the 



16 cheapest records used in reporting the final result to the user. It might not be optimal to 

17 use the cheapest records at every point. For example, if a query is described as "SELECT 

18 100 records with property X", then "PROCESS with method Y", and "RETURN result", 

19 it can be cheaper to select more records (e.g. 1000) initially, process all the records, and 

20 then return the 1 00 records that are cheapest after the processing. 



21 The method of storing the data record pointers in a table, along with the price 

22 required for information, and keeping a record of the data record pointers that are used to 

23 compute values during the execution of a query program provides a technique to compute 

24 the total price of a query. 

25 In the previous section we described price rules, which are associated with data 

26 records and prescribe on a record-by-record basis the price of executing a query. 

27 However, only data records that are used in computing the final result that is returned to 

28 an agent at the end of a query receive payment. 



29 4.1.2 Query Optimization 

30 Finally, consider the following two examples: 
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1 COUNT the data records with PROPERTY X 

2 and COUNT the data records with PROPERTY (not X) 

3 In an optimal pricing model these queries both have the same cost. To focus ideas 

4 further, suppose that no data records have property X, such that without additional query 

5 optimization the cost of the first query is $0, while the cost of the second query is the sum 

6 cost over all data records of reporting that they do have data property X. 

7 To solve this problem we add a simple query optimization routine in the pricing 

8 module, which can test different formulations of properties (i.e. negatives), and the effect 

9 of reformulation on price. The order of operations for a given expression of properties 

10 does not change the price, but the way in which properties are expressed can affect the 

1 1 price. 

12 In another extension, we can use statistical methods to optimize performance. For 

13 example, a query 'what % of data records have property X' can be computed using a 

14 sample of the total data records, for an accuracy/price tradeoff This functionality can be 

1 5 offered within the pricing module. 

16 Another key technique for query optimization is to allow the SDI central server to 

17 perform pre-computation, for example to classify data records into useful bundles, and 

18 allow future queries from agents to limit themselves to bundles of data records that would 

19 appear to have useful properties. The cost is then incurred for further information 

20 revelation from these records, and avoided for information revelation from records which 

2 1 may not have useful properties. 

22 4.2 Example of Query Execution 

23 As an example, consider the following composite query: 



24 1- SELECT all data records that relate to users that have purchased a flight in the past 

25 month, 

26 2- PROCESS: Sort the data records according to salary, 

27 3- SUBSELECT: Limit the records to those users that are willing to have their identities 

28 revealed, 

29 4- RETURN RESULT: Return the identities of the remaining users with the top 100 

30 salaries. 
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1 In step 1 data records from the SDI data repository are selected which have the 

2 required property, in this case corresponding to profiles of individuals who have 

3 purchased a flight in the past month. The table of data record pointers is augmented with 

4 temporary pointers (valid for this query session) to records with this property, and the 

5 price charged by each data record to reveal this information. Notice that the table only 

6 includes pointers to data records that have this property. Although data records that 

7 respond negatively to the query reveal information to the query-execution module, that 

8 information is never revealed to the agent requesting the query, and therefore no payment 

9 is received. 

10 In step 2 the data records that relate to profiles of users that have recently 

1 1 purchased a flight are now sorted in terms of their salary field. An algorithm to sort 

12 performs a sequence of comparisons between data records, with each comparison 

13 requiring that more information is revealed about the underlying salary of the profile, and 

14 changing the price associated with the data record. The prices are updated in the data 

15 pointer table according to the data record price rules, and the query program now has a 

1 6 list of ordered data record pointers. 

17 Now, in step 3, the query program initializes a new set of data record pointers. 

1 8 This includes all the pointers for users that are willing to have their identities revealed. 

19 The pointers are maintained in order of salary. At this stage the entry for this new 

20 variable in the table of variable accounts only associates the data records with this new 

21 property. 

22 Finally, in step 4, a new variable is initialized to contain the first 100 data record 

23 pointers from step 3. These are the data record pointers listed in the variable accounts 

24 table. These are the only data record pointers that receive payment as a result of this 

25 query, because the intermediate information provided by other data records remains 

26 within the SDI query execution module and is not released to the agent that performs the 

27 query. 



28 4.3 Discussion 

29 The pricing model as outlined above has the following attractive property: 

30 The price of a query is independent of the order in which operations are 
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1 performed, and optimization of order is not necessary for reasons of price. 

2 This is nice, because it means that agents do not have to perform lengthy optimization to 

3 structure queries in cost-efficient ways. The pricing module also ensures that: 

4 Agents only pay for information received as the result of executing a query. 

5 Finally, we implement an internal market, so that with all other things equal, data mining 

6 and other types of queries are executed as cheaply as possible: 

7 An internal market favors data records with low cost pricing instead of records 

8 with high cost pricing, with all other things equal. 

9 As an example, consider this query: 

10 COUNT (SELECT 'FIELDl = X' and 'FIELD 2 = Y') 

1 1 This query can be structured as 'Count (Select(X and Y))', or 'Count( Select( X, 

12 Select(Y)))', or 'Count(Select( Y, Select(X)))', all with the same cost. Although different 

1 3 amounts of information is requested from all data records in computing the query in the 

14 three different formulations, the final cost is computed only over the records that have 

1 5 property X and Y, and these records are the same across formulations and have released 

1 6 the same information. 

1 7 Similarly, consider the query: 

18 SELECT(Z, Select(Y, Select(X))); return '2'. 

19 i.e., perform some complex nested query but return the fixed value '2'. The query 

20 execution module tracks that no data pointers are used to compute the value returned to 

21 the agent, and the querying agent is not charged for the information provided about data 

22 records to compute the SELECT operations, because that information is retained within 

23 the central SDI data server. 

24 In a SELECT query the agent can only ever pay for information provided about 

25 data records that respond positively to a SELECT, because no information is ever 

26 released to agents about- the data records that respond negatively. 

27 In another example, consider a query 'COUNT the data records with PROPERTY 

28 X', that returns the result 'none', i.e. there are no data records with this property. This 

29 query is priced at $0 because none of the agents that own information provide 

30 information to compute the 
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1 Therefore, a query of the type- 'how many data records have type X' that answers 

2 'none' has price $0, because the individual agents have not revealed any information. 

3 Similarly, because we would like all equivalent queries to have the same price, a query 

4 "how many data records do not have type X" in the same database (answer "all of them") 

5 should cost $0 because the same query could have been formulated the other way. A 

6 reasonable way to ensure that a query is formulated in the cheapest possible way is to use 

7 an query optimization manipulation program, of the type that is common in database 

8 research, during the 'price quote' phase in order to find the formulation with the cheapest 

9 price. 

10 5. Pricing Module. 

1 1 The pricing module is a core component of the central SDI data warehouse. It has 

12 two functions: (a) to predict the price of a query without executing a complete query; (b) 

1 3 to aid in the allocation of payment given a price quote. 

14 We build into the pricing module a method to allow an agent to make a 

15 quality/cost tradeoff before executing a query, and even to specify a restricted query that 

16 will respect an agent's budget. Already embedded in the query-execution module is an 

1 7 internal market for data records, to ensure that cheaper data is used in preference to more 

18 expensive data access, given two identical data records. Furthermore, already embedded 

19 in the query-execution module is that agents only pay for the provision of information. 

20 Finally, the method computes a price for a query which is independent of the order of 

21 operations. 

22 We propose the following method for providing initial price quotes to agents in SDI: 

23 1 . Compute a range of price quotes in response to a query, for different amounts of 

24 computation (which can be varied by limiting the input set of data records), and for 

25 corresponding values of a "quality metric" provided by an agent that submits a query. 

26 2. Allow the querying agent to select an optimal price/quality/computation tradeoff, 

27 and then receive payment, execute the -query, and provide the response. 

28 3. Allocate payments to accounts in the eBank that correspond with data records 

29 which are used to compute the value of the result of the query, with payments 

30 adjusted if necessary to account for any error in the price quote. 
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1 5.1 Computing a Price for a Query 

2 We allow a small -fixed price F for an initial price quote, to cover the cost of 

3 computation and prevent agents saturating the server. The price module computes a price 

4 quote based on a statistical technique to compute the price of the full query without 

5 executing the full query. 

6 The basic idea is to perform the query on a number of records, e.g. 1%, 5%, and 

7 10% of the total records that will be used for the full query, and then extrapolate- to the 

8 full query size. We need to perform the complete query because on a subset of data 

9 records, instead of part of the query on all data records, because query programs can have 

10 different phases — and each phase might incur very different information costs. The 

1 1 number of records that are used for the query can be restricted by making a random 

12 sample of the total domain of data records used for a full query. 

13 5.2 Allowing a Price/Accuracy Tradeoff 

14 In computing the initial price quote we also suggest a tradeoff for the user 

1 5 between "result quality" and cost. Quality is subjective, and usually best measured by the 

16 agent that requests a query on the data. Therefore, we suggest that the querying agent 

1 7 should provide the metric, but limit this metric to a scalar value to prevent information 

1 8 leakage. We- allow an agent in formulating a query to specify a key metric that it will use 

19 to choose an appropriate size of query to execute. 

20 The core technique that we use to control the accuracy of the result of a 

21 computation is to limit the number of total data records that a query runs over as input to 

22 the query. Take a random selection of all the data, and use that for the processing. At this 

23 initial step we limit the price and the amount of computation performed. 

24 As an example, consider a query to collect pseudonyms for agents with useful 

25 properties. The metric of interest in this case is the average per-pseudonym cost, and this 

26 can be provided by the pricing module without providing any useful information to the 

27 querying agent. Given this information the agent can then decide whether to proceed with 

28 a query, and how much money to allocate. 

29 Similarly, perhaps a querying agent cares about the quality of match between data 

30 records and data records with ideal properties. The agent can provide a method to 
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1 instrument its query to compute this quality, and the price module can in pricing the 

2 query provide guidance about the tradeoff- between running the query over different 

3 numbers of data records. 

4 Another more involved method is to introduce randomization as the query is 

5 processed, because some owners of information may provide randomized information 

6 more cheaply than exact information. 

7 That will vary depending on the number of data elements that are queried. 

8 5.3 Making a Price Quote for a Budget 

9 Consider the problem of an agent that wished to perform a query with a budget B. 

10 For example, I would like to spend $1000 to compute a collaborative filtering model. 

1 1 There is a particularly simple way to allow this: 

12 First, estimate the cost of building a collaborative filtering model on the basis of 

1 3 data records, selected at random (or with some preprocessing of the database to 

1 4 identify useful data records). Estimate price P for the query. 
15 

16 Second, adjust the number of data records used to compute the actual query based 

1 7 on the price P that was computed, and the budget B. The number of data records, 

1 8 assuming a linear model of per-data record charging is simply Nx B/P. 

19 If there is reason to believe that the cost of a query is a non-linear function of the 

20 number of data records, then a number of samples could be priced, for suitable sample 

2 1 sizes A[_7, N_2j . . . etc. 

22 Ultimately, the result is a query that is adjusted in scope by an upfront limit on the 

23 number of records used for the query domain. The price module can scale the cost of the 



24 query, and make an appropriate price quote. 
25 

26 5.4 Optimizing the Price of a Query 

27 We also suggest a technique to adjust the formulation of properties in a query, e.g. 

28 'COUNT(SELECT records with property X)', could be reformulated as 'Count(all 

29 records) - COUNT(SELECT records without property X)', possibly for a smaller price. 

30 A random search technique can provide one simple approach to optimize query formulas. 
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1 6. Communication Module 

2 The communication module in the central data warehouse takes incoming messages from 

3 agents and decides how to handle them, and sends responses to queries back to agents. 

4 

5 The action selected in the communication module depends on the type of the message, for 

6 example the message can be a data-update request, a new query to execute, a request to 

7 add new profile information, a request to find agent profiles that match, or a request for 

8 processing a set of profiles that meet a particular criteria with an application in the 

9 database. 
10 

1 1 Figure 4 illustrates the communication module in block diagram form. Messages 

12 are received from agents, and passed to the data repository in the case of data-update 

13 commands, or requests to add new information to the data repository. Altematively, if the 

14 message represents a query then it is either placed in the queue for execution, i.e. the 

1 5 pending queries queue, or in the set of persistent queries — which are periodically checked 

1 6 by the query execution module and executed when the correct conditions exist in the data 

17 warehouse. The communication module can be implemented using standard message- 

1 8 handling methods known to those skilled in the art. 
19 

20 7. Physical Location of Data 

21 The default implementation of SDI assumes that information is physically stored 

22 in the central SDI data warehouse. However, this is not necessary. The system of SDI is 

23 designed to present a privacy-protected marketplace for data, where queries can be 

24 executed with complete transparency as to the physical location of the data over a 

25 network. It is not necessary that data is physically uploaded to the central SDI data 

26 warehouse. Instead, we allow a user of SDI to provide a virtual pointer to the location of 

27 the data on another machine, for example hosted by a trusted third-party, or for example 

28 their own data server when that server is located within their own facility and always 

29 online. Alternative data locations provide tradeoffs between computation efficiency, 

30 communication cost, delays, and privacy. 
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1 7.1 The Convergence of Network Devices 

2 

3 The invention of SDI is in no way limited to a centralized implementation. The invention 

4 is characterized by its methods and protocols for handling personal -information and 

5 query execution. As best as possible the invention applies to aay distributed system 

6 implementation that follows the disclosed methods. 
7 

8 Users with different types of personal computing devices can interact in a 

9 seamless fashion with the information and personalization methods provided within SDI, 

1 0 with implementations that allow remote data access and mobile data. The user must either 

11 be identified by permanent devices as he/she moves around, or the user has his/her 

1 2 dedicated mobile device. 
13 

14 Co-pending patent application, entitled Location Enhanced Information 

15 Architecture (LEIA), provides a basic framework for this type of multiple-device data 

16 collection and delivery network environment. It describes a device and location 

17 independent methodology for identifying individuals utilizing an artifact termed a user 

18 identifier (or UID). This artifact encompasses a variety of more specific media for 

19 identifying individuals such as smart cards, credit cards, biometrics, EZ Pass, GPS, and 

20 the like. Additionally our issued parent application to this case entitled: "Pseudonymous 

21 Server for System for Customized Identification of Desirable Objects" [ INSERT U.S. 

22 PATENT 5.754.938 NUMBER ] suggests a means for cross correlating user data for 

23 profiling purposes. The data may be collected from both on-line and off-line media 

24 sources, including the user's personal computer, purchase data collected by a vendor or 

25 credit card company. The profiling can be used to deliver personalized recommendations 

26 to the user through the web, through email, or even through point of sale terminals at a 

27 retailer's physical store location. 
28 

29 Other devices which may be used to push personalized information, and to collect 

30 profile information, include the users set-top box, in home appliances (such as stereo 

3 1 system), an automobile on-board computer, a personal digital assistant (PDA), a cellular 
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1 phone, a pager, an ATM, a fuel pump, point of sales-terminal, wearable computers, etc. 

2 In most of these examples, the device is typically a light client (which is descriptive of 

3 these "Network appliances"). One variation of -SDI's privacy architecture pushes a 

4 proxy server to the client-level, where a user's personal profile information is stored. This 

5 provides a secure technical framework for protecting user profile data. In the case that 

6 the client memory is limited, because the user has a "light" network client, then the proxy 

7 server functionality can be pushed to the ISP or a central SDI server. If the light client 

8 consists of a remote shared terminal (e.g. ATM kiosk, POS device), personal data may be 

9 transmitted from the user's own client device if/when and at the time it is needed and 

1 0 authorized by the user. This approach would be certainly feasible within the "always on" 

1 1 client scenario, for example with a user's data stored at his/her set-top box, which is 

12 always "on-line". 
13 

14 The devices with which a user interacts can check a user's data use policy, and 

15 then push data accordingly to the SDI network servers. Because servers at the network 

16 level are inherently not as secure as the user's own client, extremely sensitive personal 

17 information may still be stored even at a light client, i.e. data can be split across multiple 

1 8 locations. In general the user may make a tradeoff between data management (latencies, 

19 bandwidth) costs and with the potential loss of information that can occur when data is 

20 released to other parties, even if that party is the central SDI data server. 
21 

22 Infrastructure for Smart Home / Smart Office Intelligence 

23 The management of the potentially vast amount of information generated by such 

24 devices, as well as its privacy protection, is enabled by the "personal agent", an on-line 

25 software entity that represents and acts on the behalf of the individual user. Furthermore, 

26 this agent is capable of communicating with and negotiating terms with agents 

27 representing other entities, including systems that form the infrastructure backbone for 

28 intelligent homes and offices. 
29 



Page 58 of 381 



SUBSTITUTE SPECIFICATION 



1 Such systems (as embodied by the LEIA disclosure) have access to a broad range 

2 of input sources, allowing them to monitor different aspects of the user's activities or 

3 location. Inputs can include data derived from: 
4 

5 * Email, v^ireless PDA, telephone communications. 

6 * Web browsing 

7 * Personal Computers 

8 * Personal Digital Assistants 

9 * Pagers 

1 0 * Wrist watches (typically one-way, receive only) 

1 1 * ATM machines, point of sale kiosks 

12 * Ceiling-mounted video cameras 

1 3 * room-based motion and heat detectors 

14 * Internet-enabled automobile 

1 5 * Chip-enabled appliances 

16 * Electronic Schedule Books 
17 

1 8 Smart Home Application 

19 The concept of a "smart home" is not a new one: Even in the 1950's futurists 

20 discussed the possibility of imbedding intelligent systems into a house, relieving the 

21 homeowners of such boring daily tasks as watering plants or adjusting the thermostat. 

22 Such a system could easily be implemented today using control computers running 

23 simple sets of IF-THEN rules, but might soon prove unreliable because of its inability to 

24 adapt to new situations. For example, a garden party could easily be ruined if 

25 inadvertently scheduled at the same time as a scheduled lawn-watering. 
26 

27 LEIA provides a much more sophisticated alternative. Given a house that 

28 incorporates an intemal local area network (LAN) linking household appliances, sensors, 

29 communication devices, and home computers, LEIA could easily form the basis for a 
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1 truly intelligent and adaptive home environment capable of handling daily chores, 

2 security, and information delivery, 
3 

4 Firstly, LEIA could easily subsume the tasks traditionally slated for use in a smart 

5 home; however, its ability to infer the location and needs of family members would 



6 greatly enhance the handling of these tasks. For example, the above-mentioned garden 

7 party would not be spoiled because a motion sensor would inform the watering system 

8 that a party is taking place on the lawn. Or, being set in a power-saving mode, LEIA 

9 could light only those rooms currently being used; as a family member moved around the 
10 house, lights would be turned off and on, tracking the person's movement so that only 



1 1 their immediate surroundings are lit. 
12 

1 3 Secondly, LEIA could use its ability to predict informational needs (in a manner 

14 very similar to that used for the Automotive Information Delivery System) in the house, 

1 5 customized to the personal tastes of different family members. One could imagine recipes 

16 being delivered audibly in the kitchen, or a television program that follows a family 

1 7 member from room-to-room as he strolls around the house. 
18 

19 Finally, LEIA would have the sophistication needed to deal with intelligent 

20 appliances, telling the swinmiing pool to clean itself, for example, an hour before the 

2 1 commuter returns home. 
22 

23 LEIA provides a unified infrastructure for the increasingly sophisticated systems 

24 being incorporated into modem homes. It would act as the central manager, making sure 

25 that basic household tasks, security, and informational needs all work in a coordinated 

26 and intelligent manner, adapting smoothly to the uncertainties of daily life. 
27 

28 A smart home would have several different types of sensors: 

29 

30 i) "Passive" detectors 

3 1 *motion detectors 
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1 *sound detectors (including voiceprint and speech analysis module) 

2 *Active Badge detectors 

3 *Window and door sensors (are they open/closed?) 
4 

5 ii) sampled communications 

6 *telephone 

7 *e-mail 

8 *radio/TV 

9 * computer usage 
10 

1 1 iii) appliances 

12 *alarm clock 

13 *light switches 

14 * stove 

1 5 *dish washer/clothes washer 

1 6 * water taps 
17 

18 In addition, accessed via secure channels (perhaps using a personal agent as an 

19 intermediary), three major types of personal data are also useful for running the smart 

20 home: 
21 

22 i) Explicit rules for routine tasks (E.g., desired schedule for lawn watering) 

23 ii) Expressed preferences (E.g., a desire for morning news about 

24 international events) 

25 iii) Historical database of previous interactions between the family and the 

26 house (This will 

27 allow LEIA to learn daily routines and family habits). 

28 

29 There are two major classes of data that need to be served by LEIA: (1) control 

30 signals for household systems and appliances, and (2) information desired by household 

31 members. 
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1 

2 To a large extent, household systems can be appropriately controlled using a 

3 traditional rule-base, although a fuzzy rule-base would be inherently more flexible (IF 

4 <the bedroom is somewhat chilly> AND <it's almost time to wake up> THEN 

5 <substantially increase the bedroom's heat>). Many of these rules would be explicitly 

6 programmed by the family from the beginning; others could be learned using inductive 

7 methods. 
8 

9 Although most of the household systems could run unsupervised using such a rule 

1 0 base, LEIA would remain the ultimate arbiter, and could override the rule-based system 

1 1 in exceptional cases. For example, if the family suddenly has to go out-of-town, LEIA 

12 can infer their absence and inform the household systems to go on energy-saving modes. 
13 

14 It should be noted that certain state variables will have a major impact on this 

15 analysis. The date, time, mood (inferred from sounds levels and voice content), and 

16 current composition and location of people in the house should be careftiUy conditioned 

17 on. Strong daily routines will emerge (for example, a typical working day), but 

1 8 exceptions will also be noted (when the teenaged son is home alone, and in an exuberant 

1 9 mood, play pop music LOUDLY). 
20 

21 Extension to Data Delivery 

22 Given the ensemble of sensors that form part of the smart home, it would 

23 not be difficult to monitor the types of off-line information being consumed by the 

24 inhabitants. Biometrics (systems monitoring body state, facial expressions, retinal 

25 reactions), sound sensors (capable of translating speech to text, and then text to content, 

26 using natural language processing techniques), and video monitors (which could observe 

27 reading material such as magazines, textbooks, tv viewing guides, cookbooks, etc., and 

28 again use NLP methods to scan for content), would all form part of the input set. 
29 
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1 This information is combined with all other sensor readings to infer the general 

2 focus of user interest. Within the scope of the present network architecture, the parent 

3 patent application describes how such contextual data can be converted into target object 

4 profiles and through the use of the profile processing module "similar' target objects may 

5 be retrieved fi-om the electronic medial distribution system (cached locally or over the 

6 network) and delivered and displayed at the local user terminal device for viewing by the 

7 user. Such media (which may be tailored for delivery at a RV set-top) may include 

8 streaming video/audio, multi-medial files or video-on-demand which are delivered in 

9 near real time upon activation of the request and which are of matching similarity (or 

1 0 complementarity) to the print media viewed by the user presently. Alternatively, the data 

1 1 captured by the miniature camera device relating to the particular pages of print media 

1 2 presently observed by the user may consist exclusively of an identifier code a portion of 

1 3 which is used by the system for purposes of identification of the code (or alternatively 

14 such identification may be determined by its physical coordinates on the page itself). The 

15 other portion of the code is a unique identifier of the particular page, which may be used 

16 to identify manually by a content expert whereby select print materials and particularly 

17 their associated electronic counterparts are either matched, designed and/or customized 

18 for use within their system context of the present convergent media application. It is 

19 apparent that such a system could also be usefiiUy deployed to benefit advertisers, e.g., 

20 presenting advertisements electronically to correspond with particular printed content or 

2 1 matching printed ads with corresponding electronic counterparts. 
22 

23 This complimentary content, be it audio, video, text, or combinations thereof, 

24 including advertising conforming to user-defined conditions, is delivered through various 

25 in-home devices located in the proximity of the user. 
26 

27 Smart Office Application 

28 Large business centers can be very confusing places: people are often away fi-om 

29 their desks, many different meetings are scheduled and rescheduled during a single day, 

30 people are called off to emergencies, and clients drop in for unexpected visits. The 
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1 inability to coordinate people and information in such situations leads to greatly reduced 

2 efficiency. 
3 

4 LEIA offers a unified solution in the face of this chaos; by linking together 

5 people's schedule calendars, communications systems, contact information, and location 

6 coordinates, a system can be devised to (1) shepherd a visitor (even if unexpected) 

7 around the business center, (2) push vital contact information about the visitor to those in 

8 the company who will be visited, and (3) adaptively coordinate important meetings 

9 within the company. 
10 

1 1 When a visitor comes to the center, he will: 

12 a) _„sign in at a front desk; rather than sign a book, he logs in at a terminal that 

1 3 signals his presence to the company LAN. 

14 b) receive a hand-held computer that, while presenting the visitor with useful 

1 5 information, will emit a constant signal enabling LEIA to pinpoint his position at 

16 all times. 
17 

1 8 On the employee side, LEIA can acquire signals from: 

19 a) active badges 

20 b) telephones 

21 c) beepers 

22 d) interactions with terminals 
23 

24 All sensors are connected directly to a LAN internal to the company. Only basic 

25 security measures need to be enacted. 
26 

27 Registered visitors will likely be profiled in standard contact files containing 

28 information about their own company, position, professional interests, previous 

29 interactions with the company they're visiting, and basic personal details (e.g., 

30 photograph, wife's name). 
31 
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1 Employees of the company using this LEIA-based system will have much more 

2 information available. In addition to the standard contact information, LEIA will have 

3 access to their phone and e-mail logs, daily calendar/schedule, work group and project 

4 details, position within the company hierarchy, 

5 and work-station notes (e.g., an unexpected "out to lunch" message could be posted on- 

6 screen by the employee before they run off). 
7 

8 Although some higher-level intelligence is needed (e.g., for matching interest 

9 profiles between employees and visitors), the office-based system could well be run with 

10 a combination of a rule-base and optimization routine (which would be capable of 

1 1 coordinating conflicting schedules). Since this version of LEIA will be installed in a 

12 fairly controlled environment, the problems of location and timing will be fairly trivial, 

1 3 the former solved by active badges, the latter solved by smart calendar agents. 
14 

1 5 For the visitor: 
16 

17 If the visit is expected (and previously scheduled), LEIA will double-check the 

18 availability of the personnel to be visited and confirm or alter the schedule as needed. If 

1 9 the visit is unexpected, or certain employees are unavailable, LEIA will take into account 

20 the purpose of the visit and the visitor's professional interest profile to locate those 

21 available employees who would be best suited for a meeting. 
22 

23 Once the visit schedule has been arranged (although it could be adaptively altered 

24 during the course of the visit), the visitor will be fed information via the hand-held 

25 computer they've been issued. This might give them a visual representation of the 

26 building's layout, along with the best route to the next office to be visited (a more 

27 advanced building might simply have computer displays in its corridors capable of 

28 flashing directional signals to the visitor as he passes them). In addition, it might give the 

29 visitor basic information about the person he's about to visit (for example, they might 

30 have interests in common, or have gone to the same university). 
31 
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1 For the employee to be visited: 
2 

3 Whether or not the visit was previously scheduled, LEIA communicates with the 

4 employee's personal calendar agent and double-checks the employee's current location. 

5 If the employee is at a fixed location and has some fi*ee time, the visit is scheduled. 

6 Obviously, his connection to the visitor will determine what information, in addition to 

7 the standard contact data, should be pushed to his workstation. 
8 

9 For multiple employees requiring a meeting: 
10 

1 1 Given that multiple employees have signed up for a meeting, or that a single 

12 employee has sent out a signal indicating the need for a meeting and its priority (standard 

1 3 or emergency), LEIA gets to work coordinating the details. Cell phone and beeper signals 

14 give employee locations outside the office, active badges signal employees already at the 

1 5 office. Calendar agents are contacted for availability; a standard meeting might depend 

16 on people having time slots fi:-ee, whereas an emergency meeting would be given priority 

17 status, and could bump items already scheduled (given that they have been assigned low 

18 priority). 

19 An optimal meeting time and place (or teleconnection for remote employees) is set up, 

20 and any pre-meeting information is forwarded to the appropriate workstations. 
21 

22 meeting, engaged in an important phone conversation 

23 Resolution Credentials 

24 Section 2.2.1 of this patent discloses the use of resolution credentials for the 

25 facilitation of agent-agent interactions. Resolution credentials enrich the quality of such 

26 interactions because they certify the status claimed by individuals, allowing agents to 

27 maintain relationships of trust. On a more practical level, resolution credentials are of use 

28 for matching and introducing users to each other on the basis of common interests, for 

29 guarding access to high-level users (with the agent acting as a gate-keeper), and for flagging 
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1 times at which an individual is reachable (and not tied up in meetings, or the like, as 

2 specified by the scheduling agent). 
3 

4 7.2 General Description 

5 We allow a user of SDI to push some data A to the data warehouse, and make this 

6 data available to all other agents via the SDI query-execution module, and to retain local 

7 control over other data B on the client machine. In this section we discuss this and other 

8 variations, and explain how the functionality of the central SDI data warehouse can be 

9 replicated on a client machine in a client-side SDI database, to allow a user to leverage 

10 the value in local data when interacting one-on-one with another agent. For example, a 

1 1 consumer's shopping agent might wish to use local data about its preferences to allow an 

12 online vendor to configure its services, but without releasing the information to the 

13 vendor. We explain how this can be supported within SDI. 
14 

1 5 We allow the following variations: 
16 

17 LA user can store some information on his/her local client machine, with that 

18 information provided to other agents directly, or retained for querying by other 

19 agents on the local client machine as in the system of query-execution on the 

20 central SDI database. 
21 

22 2. A user can use a light client machine, perhaps a mobile computing device, which 

23 is periodically configured with information stored on the central SDI database that 

24 is relevant to the current task. This information can then be used directly by other 

25 agents in interactions. 
26 

27 3. A client machine can be automatically configured with information about a user 

28 when the user is in its proximity, again to allow direct information exchange with 

29 a local agent. 
30 
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1 4. The client machine can maintain all information, with virtual links from the 

2 central SDI data warehouse to the information. The system operates as before, 

3 with information provided if conditions are met, etc, 
4 

5 There are two basic motivations at work. One, a user might prefer to keep control 

6 over some information, even keep control away from a central SDI data warehouse, in 

7 case it is compromised in some way. We can allow a user to maintain data on a local 

8 client machine but seamlessly receive the same benefits as if the data was pushed to the 

9 central SDI data warehouse, with virtual links to the client machine. Query-execution can 

10 operate much as before, with data pulled from the client machine as necessary and 

1 1 charges levied. Operating overhead is incurred in such a system because data must be 

12 communicated over the Network during query execution. The client machine must also 

13 be "fat", with enough local data storage. 
14 

15 A different motivation occurs when a user has a very light client, for example a 

16 mobile computing device such as a Palm computing device or a cell phone. In this 

1 7 variation the user will perhaps like to store profile information relevant to the profile that 

1 8 it assumes with another agent in a one-to-one interaction, but not have space to store all 

19 profiles. The role of the central SDI data warehouse is to configure the light client 

20 dynamically. 
21 

22 With information on a user's client machine, then we can support local queries 

23 from other agents, for example on-line vendors might request information to allow an 

24 appropriate product to be displayed to a user, or a relevant advert. The queries can be 

25 executed in a number of interesting ways. First, the information can simply be released to 

26 the agent, and the agent can make appropriate use of the information. Second, the 

27 information can be retained on the client machine, and the agent can submit its selection 

28 function, and receive the optimal selection, for example a good advert to show the user. 
29 
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1 One interesting implementation of such a client-side data warehouse is via -smart 

2 stick technology, developed by Sony, which is a robust "data wand" that allows the 

3 storage of configurable data. 
4 

5 7.3 Important Data Location Variations 

6 It is useful to identify four key modes of interaction between a pair of agents 

7 within the system of Secure Data Interchange. The agents might, for example, represent a 

8 consumer and a vendor in a B2C e-commerce application. The modes of interaction are 

9 adjusted to allow for different data locations. 
10 

1 1 7.3.1 Data in SDI data warehouse 

12 In Figure 5 we illustrate the situation where agent 1 has its personal information 

13 about the user stored in the central SDI data warehouse, and provides agent 2 with the 

14 ability to process a query on the data warehouse and access information about the agent. 

1 5 The query might either request information about the agent's profile, or provide a method 

16 to execute in the data warehouse, where the result of the method is an optimal action for 

1 7 Agent 2 to make in providing personalized information and/or services to the user with 

18 agent 1. 
19 

20 

21 7.3.2 Data on the Client Machine (client-side SDI database) and in SDI data 

22 warehouse 

23 

24 Figure 6 shows an alternative variation where data is stored on an agent's client 

25 machine and in the SDI data warehouse, and the client-side SDI data warehouse can 

26 respond to queries from agent 2 in the same way as the central SDI data warehouse. In 

27 particular, as we suggest later in this document, this variation allows an agent 

28 representing an on-line consumer to store very personal information on a local machine, 

29 and for example only allow other agents to benefit from the results of analysis on that 

30 information without receiving the actual information. 
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1 

2 

3 7.3.3 All information stored Client-side. 

4 Another variation on the basic SDI architecture, is that all information is stored only 

5 as virtual links within the SDI data warehouse, with physical storage on an agent's local 

6 client machine. Preferably, in order to leverage the value of information the client machine 

7 would be always networked with the central SDI data warehouse. A current technical 

8 solution which seems appropriate would use a Set Top Box, connected via cable TV lines to 

9 the SDI network. Many households in the US have set top boxes, and this would provide a 

10 quite convenient way to leverage the value of information but keep it secure against 

1 1 inappropriate access in a central data warehouse. 

12 

13 In this variation, to support a personalized session with another agent the data is 

14 stored locally, and can be processed using a client-side SDI data warehouse with a local 

1 5 query-execution module. To also support data mining by agents of a shared database, the 

16 client-side data records could useful push data types and price rules to the virtual shared 

17 database, to allow more efficient searching. This variation describes a distributed SDI data 

1 8 warehouse, with indexing performed over on-line client machines. 

19 

20 8. Distributed Query Execution 

21 In addition to allowing distributed data location, the system of SDI allows 

22 distributed query execution, via client-side query-execution modules. The advantage with 

23 this variation is that data can be physically stored on trusted local machines close to a user of 

24 SDI, and the queries can be physically executed on the machines so that not even 

25 intermediate results are available outside of a local firewall protected system. There is no 

26 technical solution provided within SDI to prevent agents sharing information to other 

27 agents, other than to prevent agents from receiving that information in the first place. We do 
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1 this using three many techniques: pseudonyms, infomiation randomization (see Section 10), 

2 and query-execution in the SDI central server without release of raw data inputs. 

3 

4 We can implement safe client-side query execution with direct -replication of the key 

5 functionality of the query-execution and price-module of the central SDI data warehouse on 

6 a user's client machine. A querying agent can push the same method to an agent's client 

7 machine as it would submit to the central SDI query execution module, and an agent can 

8 execute the method locally and release information consistent with his/her data release rules. 

9 The SDI client-side agent can be configured, via the profile management and data-release 

1 0 policies, to control the type and amount of profile information released to the central SDI 

11 data warehouse. We discuss this in some detail in Section 9, on "distributed data 

1 2 management". 

13 The challenge is to be careful that the results of a query do not reveal too much 

14 information, but this is solved using the same price rules as in the central SDI data 

1 5 warehouse. The mode of interaction supported is QUERY(PID), i.e. execute a query on a 

16 particular pseudonym ID, and the client side query execution module ensures that the 

1 7 vendor has a certificate from the client-side SDI agent to query the information in the local 

1 8 database about that pseudonym. The control over^ the profiles that a vendor can access, 

1 9 coupled with the price rules to ensure that information is -perturbed as necessary and that not 

20 too much information is released, and to allow an agent to leverage the value of information. 

21 A user's agent can retain control over local information by limiting the information 

22 that can be released in response to a query. For example, although a query can be complex 

23 and access a lot of profile information on a user's client machine, we suggest an additional 

24 protection that controls the information that a vendor can receive for future use. It is possible 

25 to limit the response that the vendor receives to a fixed message size, e.g. to 10 bits for 

26 example, to provide a very strong overall control on the ability of a vendor to use 

27 information again in the future, 

28 
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1 8.1 Example: Customized Vendor Web Pages 

2 The method, called safe client-side query execution, has a direct application to 

3 systems for personalized information delivery, where it is not desirable to release profile 

4 information to an information provider, but preferable to allow the information provider to 

5 provide methods (e.g. queries) that are executed on a client machine, and personalize 

6 information before it is provided to the end user. 

7 A key application of this technique is in B2C on-line e-commerce where a vendor 

8 can push methods for personalization of a virtual shop front to a user, and the user's SDI 

9 enabled client machine can implement the methods (which are queries) on the client, and 

10 push the result back to the vendor's server. The server then constructs and pushes an 

1 1 optimized virtual shop front to be displayed on a user's local display. 

12 At present advertising networks such as DoubleClick (www.doubleclick.com) are 

13 able to track a user as he/she browses across multiple sites in the DoubleClick network 



14 because the ad server can place a "cookie" text string on the hard drive of a user's client 

1 5 computer which identifies that user as he/she browses. SDI is designed to be used on-line in 

16 combination with a method to block cookies, replacing them for example with "safe 

17 cookies" [Netscape 96] to still permit stateful interactions during a single session with a 

1 8 vendor, for example "shopping baskef ' style interfaces. 



19 The SDI-client side proxy agent can replace the role that cookies take in automatic 

20 user log-in and password checking, through a Janus/LPWA-style implementation [BGGMM 

2 1 97; BGGMM98; GGMM98]. A user's log-in user name and password can be derived from a 

22 user's pseudonymous identity, and computed within a cryptographic framework. Janus also 

23 provides a technique to allow a user to receive e-mail pseudonymously. 

24 A core technique in SDI is to use a unique pseudonym for each vendor, and then 

25 selectively provide vendors with profile information from across multiple pseudonyms; 

26 either anonymously within the central SDI data warehouse for data mining purposes, or 

27 altematively via client-side personalization so that a vendor can leverage a user's wide 

28 profile data without receiving direct access to that information. 
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1 In providing profile information to a vendor during an interaction, so that the 

2 vendor can provide targeted products and servers to the user based on data mining that it 

3 has performed on aggregated user data in the central data warehouse, the user's agent 

4 must be careful to protect the identity of a user. This means that the agent must not reveal 

5 information under pseudonym P I and information under pseudonym P_2 to another 

6 vendor that allows the vendors to link the pseudonyms and reason that the agent 

7 represents the same user. 

8 We describe in Section 10 the technique of random noise perturbation to release 

9 information in response to queries, and another simple technique is to carefully protect 
1 0 particularly sensitive information (e.g. social security numbers, etc.) 

11 

12 8.2 Client-side Query Execution 

13 As described earlier, a key variation of SDI retains a local data warehouse and query 

14 execution module that contains information specific to a single agent, on the client machine 

15 of that agent. It is then possible, via the same query execution controls as described in the 

16 central SDI data warehouse, to allow vendors to characterize and profile a user based on its 

17 local data, but without gaining explicit information about the user's local data. The vendor 

1 8 can push appropriate methods and targeted services. We describe a number of bottom-level 

1 9 applications later in the patent, including personalized web pages, ad-networks, etc. 

20 We describe one variation in which the vendor provides generic information to the 

21 client-side device, that filters that information locally. This is relevant for example in high 

22 bandwidth information services such as digital television and satellite systems, where a 

23 user's set top box can store program information locally and make local decisions about 

24 what programs a user might like to watch and when, without providing any profile 

25 information to the head-end server. 

26 In this variation an agent can submit a query to be executed locally on a client-side 

27 SDI data proxy, that stores information submitted by the local agent. The applications of this 

28 technique are exciting, because it allows a user to maintain even more control over profile 

29 information but still benefit fi'om personalized interactions with vendors. The client-side 
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1 SDI data proxy just contains data for the local agent, and allows agents to submit 

2 'personalization queries' of the type 'execute this profiling rule and tell me what product to 

3 show the user'. The outcome of the processing might be personalized information, -for 

4 example a selection of books that a user might be particularly interested in based on its 

5 profile information and the methods passed to the agent by the agent that sends general 

6 information about the books in its catalogue. 

7 Figure 7 illustrates the process. The SDI proxy agent maintains a set of profiles for a 

8 user, relating to transactions that the agent has performed with other agents in the system, 

9 and also other information that relates to the user associated with the agent. A vendor agent 

1 0 can send generic information and a method for personalization, which is executed as a query 

1 1 on the local profile data base, with the results allowing a vendor to decide how to target its 

12 products and services to a user. For example, a book retailer might be able to provide a 

13 selection of books that a user might be particularly interested in based on its profile 

1 4 information -and the methods passed to the agent by the agent that sends general information 

1 5 about the books in its catalogue. 

1 6 We can provide rule templates, which are used to select the type of method that the 

1 7 provider of the information is requesting be applied to the generic information that is passed 

18 to the requestor agent. The provider agent only needs to provide parameters- for the 

19 processing. For example, if collaborative filtering is the desired personalization technique 

20 then the providing agent provides a list of prototypical cluster centers,- but does not need to 

21 specify a collaborative filtering algorithm. The interpreter takes the information and 

22 methods fi-om the providing agent and selects the appropriate rule template to form a 

23 program that is executed as a safe query in the CPU, with the usual controls over the amount 

24 of data that a query can access. 

25 The output fi-om this processing is personalized information, that can then be 

26 displayed to the user, perhaps to a final test in the control module for applicability. 

27 
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1 8.2.1 Preventing Information Leakage 

2 The challenge is to be careful not to allow the results -of a query, even those data is 

3 not explicitly revealed to an agent that submits a query, to carry sensitive information that a 

4 user would rather not reveal. We allow this by: (a) partitioning a user's local profile into a 

5 number of different identities, so that a vendor can only access data for a particular profile; 

6 (b) allowing only "safe" information to be reported; (c) allowing only "safe" data fields to 

7 be accessed. 

8 One particularly simple technique is to limit the size of a response to a query by the 

9 number of bits, because this can quite nicely prevent the release of too much information, 

10 when coupled with close control over the type of data that is accessed. For example, a user 

1 1 might be willing to allow queries with any amount of -"less sensitive" information, with the 

1 2 understanding that the vendor only receives at most 1 0 bits of information. 

1 3 As described above, this profiling might also be a -sequential iterative process, so 

14 that the vendor does not need to transmit a compete decision tree up-fi-ont, but request a 

1 5 sequence of information. Only release information to a vendor that we select, and do not 

1 6 allow the same vendor to access too much information over an extended period of time. 

17 

18 8,3 Extended Example: Managing Distributed Personalization 

19 In this section we describe an extended application of distributed query execution, 

20 for a vendor that wants to customize its products and services to a particular user. A 

21 central application of SDI is a system where users submit profile information to the 

22 shared SDI data base, and receive personalized information and possible cash payments 

23 in return. This variation has users optionally submitting information to the central SDI 

24 database, and receiving personalized information based on statistical patterns that a 

25 vendor is able to assess from the information that is submitted by other agents. A vendor 

26 can provide a user with personalized content that reflects his/her interests based on the 

27 types of information that other agents with similar profiles like to receive. 
28 
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1 Figure 8 provides a top-level view of one such agent, that we refer to in this section 

2 as a personalization agent. We consider an agent that maintains an identifier and (partial) 

3 profile information for the agents that it has interacted with. Consider, for example, email 

4 addresses of customers to Amazon.com. The vendor-side SDI proxy can maintain profiles 

5 for each user that it interacts with, indexed on the basis of the log-in identity that a user 

6 users. The agent can also use a "processor" device that takes data about the profile of a user, 

7 and the rules that have been collected based on profile information in its local database and 

8 fi-om wider SDI query execution, and computes the personalized information that n agent 

9 might be most interested to receive. 

10 The personalization agent's information database (Figure 8) contains all information 

1 1 that the agent can provide to other agents, -for example this would be all of today's news 

12 stories in the case of an agent representing the NewYork Times. The rules database 

1 3 contains methods that tiie agent can use to decide how to select information to present to a 

1 4 user based on profile information about the user. The profile information can be stored local 

15 to the personalization agent for the information that the agent has collected about other 

16 agents, other information will be stored either in a central SDI database, or client-side at the 

17 user's SDI proxy. The communication modules receives requests firom information fi*om 

18 agents, and information about agents' profiles, -either fi-om agents directiy or fi*om the 

19 central SDI server. The communication module also sends rules and profile information to 

20 other agents, requests for information to the central SDI server, etc. 

21 In Figure 9 we look inside the personalization agent's control -module, which is the 

22 module that -receives requests for information fi-om the communication module, and checks 

23 whether the agent has the type of information that the agent requests, and then recovers the 

24 profile for the requesting agent and sends that to the processor. The processor selects a rule 

25 fi-om the rule database to use in deciding what data to send to the requesting agent, -and can 

26 also select a method fi"om the rule database to accompany the data when it is sent to a 

27 requesting agent. 

28 
29 
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1 The control module receives a request for information from the communications 

2 module, and checks with the information database for its capabilities to provide information. 

3 A query can also specify no particular information. The next step is to consult the profile 

4 database, and investigate whether the agent already has profile information about the user, 

5 which it can used in the processor to select a rule that will decide which information to push 

6 to the agent. 

7 The processor returns a rule, and the control module consults the information 

8 database, and recovers the required information. Finally, the control module forwards the 

9 information, and optionally a method to further process the information at the requesting 

1 0 agent with profile information stored locally to the requesting agent. 

1 1 Figure 10 illustrates the role of the processor module in the personalization agent. 

12 The module receives the request for information from an agent, -and any profile information 

13 that the personalization agent already has about that agent or that is provided with the 

14 information request. The processor consults the rule database, -and selects a rule with which 

1 5 to decide what information to send to the agent. The processor can also decide to send a 

16 rule with the data, that will be processed on the client of the agent making the request for 

1 7 information based on local profile information to that agent. 

18 The decision module within the processor (Figure 10) selects a suitable rule, and 

1 9 decides what information to provide to the agent. This rule is passed to the threshold testing 

20 module. This is where a decision is taken about whether further customization should be 

21 performed local to the -requesting agent, based on its local profile information. If the rule 

22 provides sufficientiy well personalized information then the processor instructs the control 

23 module to process the information with the rule, and send the results back to the information 

24 gathering agent. Otherwise, for example in the case that the personalization agent does not 

25 have accurate profiling information about the requesting agent, the processor will instruct 

26 the control module to partially process the information as best as it can, and then send that 

27 processed information and an additional rule to the agent for additional processing. 

28 
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1 9. Data Management 

2 The invention of SDI, in its most general form, refers to the system for a privacy- 

3 protected market for data interchange between multiple parties. In this section we discuss 

4 possible methods for an agent to manage its disclosure of data to the data interchange, 

5 and to other agents in the system. We allow agents to adopt different identities, and 

6 submit different information under different identities. The idea is that a pseudonym 

7 prevents other agents from exchanging information. Given an identity management 

8 policy, the data management policy is then used to determine what data to submit to the 

9 central data server, or release to other agents, under a particular pseudonym. The agent 

10 needs to choose what data to release, and what price rules to associate with that data. 

11 We propose client-side "proxy agents" to intermediate the interactions between 

12 agents, and manage data provided to the central SDI data warehouse; and- methods to 

13 manage an agent's identity in interactions with other agents, for example via pseudonymous 

14 and anonymous interactions. The proxy agents control the amount and types of information 

1 5 exchanged between agents. We refer to the proxy as "client-side", because it resides on the 

16 machine local to the agents that participate in the system of SDI. The client-level SDI proxy, 

17 implemented as a client program rurming on the user's client machine, manages all data 

18 release from the user to other agents and to the central SDI data warehouse. The proxy 

19 might usefully provide a rule-based interface to allow a user to select appropriate data 

20 management policies. 

21 An important application of SDI is to a system for business-to-consumer (B2C) e- 

22 commerce, where SDI allows individuals to provide vendors with access to profile 

23 information that is collected client-side about an individual as he/she interacts with vendors, 

24 but retain control over the amount and level of detail that is made available and collect 

25 payment for that information. A key function of the client-level proxy is to control the 

26 ability of multiple vendors to track a user, by control of the identity of a user in its 

27 interactions and the information released. The client-side proxy agent maintains profile 

28 information about a user, but releases that information according to a user-defined policy. 

29 The system of SDI, together with these client side proxy agents, allows a user to control the 

30 amount of information that is released to vendors and other agents, and allows users to 
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1 exchange information within a privacy-protected and carefUUy controlled market place and 

2 receive personalized products and services The proxy might usefully provide a rule-based 

3 interface to allow a user to select appropriate data management policies. Vendors can run 

4 collaborative-filtering type applications on profile data ft-om many online consumers, and 

5 use that information to personalize products and services in the fixture. Vendors can continue 

6 to build collaborative filtering models and other personalization models that used extended 

7 profiles, and users can receive the benefits of personalization without releasing profile 

8 information to a vendor; e.g. by personalization within the central SDI query-execution 

9 module or by personalization on a user's client machine. 

10 

11 9.1 Overview 

12 The basic assumption is that there is no technical method to prevent vendors from 

1 3 sharing information once they have that information, but it is possible to reduce the value of 

14 that information and the privacy implications for a user by making it very difficult to 

1 5 determine that two agents represent the same user in two different interactions. 

16 The ability to interact pseudonymously with other agents, and adopt a unique 

17 (temporary or persistent) pseudonym for each agent-agent interaction, is not in itself novel. 

1 8 This is described in the literature, for example as early as the work of Chaum [Chaum 85], 

19 and others more recently [FR 98; Cranor 96; BGGMM 97; BGGMM 98]. What is novel is 

20 the central SDI privacy-protected marketplace, that respects metainformation that agents 

21 associate with data, to carefiiUy control the availability of data to other agents. Also novel is 

22 the method of 'distributed query execution' (Section 8), that allows an agent to push a 

23 method to another agent, and take a decision based on private information without learning 

24 the information. 

25 In Section 9.2 we present example identity-management policies. At one extreme, if 

26 an agent interacts with every other agent under a unique pseudonym, and never allows two 

27 agents to match its identity based on information that it releases, then the other agents have 

28 no way of combining information about the agent. In tiie business-to-consumer e-commerce 

29 example, vendor A cannot share information about consumer Z with vendor B unless 
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1 vendor B has some way of linking its customer with the customer of vendor A. This can be 

2 done at present via cookie mechanisms and advertising networks (e.g. DoubleClick), or 

3 simply by matching identifying information (e.g. user name, e-mail address, credit card 

4 number) across sites. 

5 In Section 9.3 we describe data-release policies, which are methods that determine 



6 what information is released for each pseudonym a user selects, and the rules associated 

7 with accessing that information. We also note that an agent can choose to introduce a level 

8 of noise-perturbation to data before its release, so that the data is still useful but cannot be 

9 used to link an agent across multiple pseudonyms via the data that it releases. Altematively, 

10 an agent can release data with a reduced level of accuracy, for example within a range of 

1 1 values, and/or restrict the types of data that are released. Methods of data perturbation are 

1 2 discussed in more detail in Section 1 0. 

1 3 Finally, note that there are two parts to the data management policy. One relates to 

1 4 the data that a user releases to the central SDI data warehouse under a particular pseudonym, 

1 5 and another relates to the data that an agent releases to another agent in a direct agent-agent 

16 interaction. The following bullets summarize the distinction, and note the sections for more 

1 7 details. 



18 o [9.3: Data Management Policy] Manage the Release of Data to the Central SDI 

19 data warehouse (with either physical uploading of data, or release of links to 

20 physically distributed data); this includes the association of price-rules with data 

21 that is provided to SDL 
22 

23 o [9.4: Agent-Agent Data Management] Manage direct Interactions with other 

24 Agents, for example controlling the identities used in interactions, and the amount 

25 and type of information released. This is really a special-case of Sections 9.2 and 

26 9.3 for data release to the central SDI database. 
27 

28 In addition to the identity and data management policies, an extension of SDI 



29 could allow statements about "fair use" of information, much as is developed in the W3C 
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1 P3P project [W3C; CR 98; RC 99], that allows a user to state for example whether or not 

2 it would like to receive electronic mail in response to information, whether the data can 

3 be exchanged with other agents, whether it can be used for personalization. "Fair use" 

4 policies are typically protected by "catch and punish" mechanisms, for example with spot 

5 checks by special interest groups on business practices, and not with technical solutions. 

6 In comparison, we focus on technical solutions to allow a user to control information held 

7 by other agents; for example by careful identity management, careful data management, 

8 and careful metadata annotations to control queries in the central SDI database. 
9 

10 9.2 Identity-Management Policy 

11 Identity management policies allow an agent to assume pseudonymous or 

12 anonymous identities in its interaction with other agents, for example in the context of 

13 consumer-to-business commerce preventing two vendors from exchanging information 

14 about the same agent on the basis of the agent's revealed identity. An identity-management 

1 5 policy defines an appropriate identity (pseudonymous or anonymous) for different agents 

1 6 with which an agent might interact. 

1 7 A pseudonym can be unique for each agent-agent interaction pair, in which case 

1 8 another agent can store information about repeated interactions but cannot exchange that 

1 9 information with other agents on the basis of the pseudonym, because the pseudonym is 

20 unique. A stronger form of privacy is provided with an anonymous identity, that does not 

21 allow even the same agent to track the agent across multiple interactions. An anonymous 

22 identity exists only for a single session — ^until either party agent changes context and 

23 connects to another agent. A pseudonymous identity system can be implemented using 

24 standard cryptographic techniques known in the art. For example, the JANUS/LPWA 

25 system [BGGMM 97; BGGMM98] allows a client-side proxy to compute a new pseudonym 

26 for an agent, and also a new e-mail address and user-name and password for that 

27 pseudonym, to allow access to web-pages that require user log-in. In particular, it is possible 

28 to compute new pseudonyms for a user without a central register of pseudonyms that could 

29 compromise a user's identity, through the technique of "blinded signatures" [Chaum 85]. 
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1 The identity-management policy can be configured by a user when he/she first 

2 registers with the system of SDI; for example a simple policy might classify agents 

3 according to the certificates that they can present, and select a pseudonym according to the 

4 agent's class. 

5 Other reasonable identity-management policies include: 



6 

7 o Absolute Privacy. At the highest level of privacy an agent interacts anonymously 

8 with every other agent so that agents cannot learn about the agent across sessions, 

9 and cannot personalize future interactions. Furthermore, information about the 

10 transaction with the agent, cannot violate a user's privacy when provided to other 

1 1 agents, so long as the agent does not release any identifying information during its 

12 transaction. 
13 

14 o High Privacy. At the next level of privacy, an agent interacts with every agent under 

1 5 a unique persistent pseudonymous identity. This prevents another agent exchanging 

16 information about the agent with other agents, unless the agent reveals other 

17 identifying information. However, this policy does allow agents to receive 

18 personalized information over multiple sessions with the same agent, directly 

19 without the vendor using information submitted to the central SDI data warehouse, 

20 or stored on a client-side single-user database. Another agent can personalize 

21 information, but only on the basis of previous transactions with the agent, hi an 

22 Intemet environment this mode of interaction allows a vendor to track its customer 

23 across multiple sessions. 
24 

25 o Medium Privacy. Use the same persistent pseudonymous profile with groups of 

26 other agents, perhaps segmented according to the type of task that an agent is 

27 performing. With this level of privacy agents still control of the ability of other 

28 agents to build portfoUos of information. Examples: (a) an agent might specify one 

29 identity for whenever it is purchasing books, so that any book seller agent that it 

30 approaches can access profile information that relates to the agent's previous book 
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1 purchases and queries (so long as someone will provide/exchange/sell/rent that 

2 information to the agent); (b) an agent might require that a different pseudonym is 

3 used for business-related transactions and leisure-related transactions, to allow more 

4 precise personalization; (c) consider a family that interacts with other agents through 

5 the same SDI proxy. Each member of the family might choose to use a different 

6 pseudonymous persistent identity for all of his/her on-line transactions. 
7 

8 o Low Privacy. No attempt is made to protect the identity of an agent. This is the 

9 default privacy level provided via current Internet browsers, at least in the common 

1 0 usage of individuals. The system of -Secure Data hiterchange is useful with this level 

1 1 of privacy only to the extent of leveraging the value of information that has not been 

12 released to any agent. There is not technical method to prevent agents from 

1 3 exchanging information that relates to transactions they have performed with the 

14 same agent. 
15 

16 A general method to select a "medium" privacy strategy, with different pseudonyms 

17 for different agents, but some shared pseudonyms, is to suppose that agents present 

1 8 certificates. A certificate places an agent into a particular class, and each class is associated 

19 with a particular pseudonym. Therefore agents that can position themselves in a particular 

20 class that is shared with other agents can share profile information; while an agent that can 

2 1 not position itself within a shared class will receive its own unique pseudonym. 

22 A useful default policy is to suggest that an agent adopts a unique pseudonymous 



23 identifier for each vendor that they interaction, and then explicitly link pseudonyms as they 

24 decide, via a link-conmiand to the central SDI database. The policy is a hybrid of the core 

25 suggestions above. Initially a user selects high privacy, but the user can choose to 

26 incrementally relax this privacy decision on the basis of continued interactions with agents. 

27 A user might also sell links between profiles, to agents that can present the right 

28 characteristics and pay the right price. 

29 
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1 Example in Consumer-Business On-line Commerce. Figure 1 1 illustrates agents 1, 2 and 3; 

2 agent 1 maintains one pseudonym for vendors 1 and 2, and a different pseudonym for 

3 vendors 3 and 4; agent 2 maintains one pseudonym for vendors 3 and 6; agent 3 maintains a 

4 unique pseudonym for each of vendors 1, 3 and 5. 

5 Of course, a vendor might adjust its level of service according to the level of 

6 identification provided by an agent. For example, a vendor might provide a more complete 

7 service to a user that provides a pseudonym than a user that provides an anonymous 

8 identifier, because a pseudonym allows a vendor to collect information over an extended 

9 period of time and build a detailed profile that can enable fiature personalization. 

10 

1 1 9.3 Data-Release Policy 

12 The client-side SDI proxy provides support for automatic submission of profile 

13 data, and other types of data, to the SDI central data warehouse. This includes policies for 

14 pricing queries, and policies for introducing random perturbations to data. 

1 5 There are a number of human/computer interactions that are important in allowing a 

16 user to configure these options, . Many of the issues were anticipated in Cranor's work [CR 

17 98; RC 99], in which she describes methods adopted in the W3C P3P (platform for privacy 

1 8 preferences) project, and suggests that users can as a first step select a special interest group 

19 with which they are affiliated, use that as a base policy, and then adapt the policy as 

20 necessary. Altemative techniques include decision-tree methods as described in pending 

21 patent [INSERT US PATENT NUMBER AND NAME], that ask a user a number of 

22 questions in order to ascertain an appropriate service. There are many dimensions that a user 

23 might like to identify; for example: the type of information that can be released, the types of 

24 queries that can be performed on that data, the price that must be paid to perform the 

25 queries. For example, we might hard code different price and data-release policy codes, e.g. 

26 A B C D. . ., and allow third-parties to provide maps between data types and an appropriate 

27 policy code. 

28 
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1 We view an agent's complete data release policy as an intersection of its data 

2 management and identity management policies. As with identity management, a simple 

3 variation will define a fixed number of data management policies, stating types of data that 

4 can be released and conditions, and a mapping fi*om agent certificates to policies. An agent 

5 can receive whatever policy it presents a certificate for. 

6 

7 9.3.1 Data Validation 

8 The SDI client-side proxy can also provide a useful service of validating data in 

9 profiles. This can be important in scenarios in which it is possible that a user can try to 

10 misstate information in the database for personal gain. For example, consider a consumer- 

1 1 business e-commerce system in which vendors determine user discounts for products based 

12 on their profile information. Clearly all users will attempt to adopt the profile for the 

1 3 cheapest price, if that is known, and if that is possible. We can allow vendors to specify that 

14 they will only follow validated information, for example if a user's profile states that he/she 

15 is very price sensitive, then it is more usefixl to know that if the assessment is based on 

16 validated transactions performed via the SDI system, hi general terms, information is 

17 valuable within a marketplace if the information is accurate, and we can use client-side 

1 8 validation to achieve that goal. 

1 9 Consider another business-consumer e-commerce example. In general it is useful to 

20 allow an agent to duplicate information across different identities in the SDI data warehouse, 

21 e.g. my Zip code might well be information that I am very happy to associate with all of my 

22 profiles because it is not too revealing of my identity. However, as a vendor I might like to 

23 know that when I execute a query I am not paying to receive duplicated data records for the 

24 same user. One usefiil way to prevent this is to allow a user to also state with some records 

25 "this is the only user profile for which I am choosing to submit this piece of information". 

26 For example, if user A purchases book X then the user might choose to associate 

27 information about that book purchase with just one of his/her profiles in the SDI data 

28 warehouse, e.g. the profile for the "book-reader". Stating this allows a vendor to specify 

29 within its query that it is only interested in receiving information associated with profiles 
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1 that include this "exclusivity" claim. The SDI client-side proxy can provide a guarantee that 

2 the user only associates data with one profile, for example using a cryptographic method, 

3 e.g. signing the data record with a key to indicate that it is a unique record. 

4 

5 9.3.2 Data Perturbation 

6 In addition to an agent's identity management and data-release policy an agent must 

7 be careful that it does not compromise its identity-management policy by releasing 

8 identifying information. For example, an agent must be careful not to release the same piece 

9 of information X under pseudonyms PI and P2 if it is unlikely that the information would 

10 relate to two different agents. In the next section we discuss the concept of data perturbation 

1 1 in some detail. The idea is that an agent must add enough noise to any information that is 

12 released to prevent identification by another agent, unless the other agent already knows the 

13 agent's true identity. This date-perturbation module can run on top of identity and data- 

14 release methods. Without careful management of the control of information a 

15 pseudonymous identity management policy is redundant. Remember, whenever 

1 6 pseudonymity is compromised there is no technical method to prevent vendors and other 

1 7 agents fi-om exchanging information about the agent. 

1 8 Agents are careful to reveal only information that will not allow a vendor to link the 

19 identity of a user across multiple pseudonyms, defeating tiie identity management policy. 

20 Pseudonymity can be broken whenever an agent reveals the same piece of information, X, to 

21 multiple agents, e.g. A and B, and that information X has significant discriminative power. 

22 Agents A and B might be able to deduce with quite high probability that it is likely that the 

23 two pseudonyms refer to the same agent; and therefore combine their profile information 

24 and defeat the user's profile management policy. 

25 Consider an extreme example in business-to-consumer e-commerce: if agent 1 

26 reveals its social security number to vendors 1 and 3, its pseudonymity is broken. Vendors 1 

27 and 3 can now communicate and deduce that the agent that interacts under pseudonym PI 

28 and pseudonym P2 is the same agent, and therefore share profile information that the agent 

29 would like to isolate from each agent. The pseudonymity is broken in this case because 
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1 social security numbers are unique identifiers. A slightly more subtle example is to consider 

2 an agent that provides a combination of profile information to two vendors, where the 

3 information taken together is suitably revealing that the vendors can conclude that the 

4 pseudonyms relate to the same user with high probability. 

5 At the other extreme, we might simply provide no personal identifying information, 

6 such that in a business-consumer e-commerce application the vendor knows only the type of 

7 product that the agent is looking for, or the request for information made by the agent. In 

8 this situation we can use the methods disclosed in [SECTION XXX, END OF BOTTOM- 

9 LEVEL] to complete a transaction with pseudonymous physical mail and pseudonymous 

1 0 payments. 

1 1 A slightly more advanced method is to classify information as identifying and non- 

12 identifying, where information is non-identifying if no amount of the information can break 

13 a user's identity; e.g. information common to many other users, perhaps the city in which a 

14 user lives, a rough salary range for a user, a user's banking institution, etc. In comparison, 

1 5 identifying information might include a user's street address, a user's favorite book, a user's 

1 6 exact salary, etc. 

1 7 The data-perturbation approach is to select the information to release, via an agent's 

1 8 data-release policy, and then add a necessary amount of random noise to that information to 

19 protect a user's identity. We can add a small amount of random noise to data, enough to 

20 prevent identification, but not so much that the data has no value to another agent. For 

21 example,- my year of birth and Zip code might be almost as valuable for customization 

22 purposes as is my fiill date of birth and street address. 
23 

24 9.3,32 Click stream data. 

25 One type of data that is especially interesting in a browsing environment is click 

26 stream data, which is stored at the client machine and represents a sequence of clicks that a 

27 user has executed, possible across multiple vendors. The data can be stored on a user's local 

28 client machine and periodically released under an appropriate pseudonym to the central SDI 

29 data warehouse. The client-level proxy server that runs on a user's host machine is in a 
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1 unique position of being able to monitor the user across different pseudonyms and across 

2 different vendors' sites. The client proxy might also collect information about: 

3 

4 o The information that is displayed to a user (e.g. the text, the pictures, etc.) 

5 o Information typed at the keyboard, and profile information transferred from the 

6 client machine to a vendor. 
7 

8 The data is gathered by passively observing the actions of the user, and not by direct 

9 question-and-response. Possible click stream data release policies include the following 
1 0 data-release policies: 

11 

12 A. Release no information. 

13 B. Only release data on the URLs of the most recent sites visited. 

14 C. Release data about the URLs of the most recent sites visited, and the information 

1 5 displayed to the user. 

16 D. Release data about the URLs, the information displayed, and the information 

1 7 entered by the user. 
18 

19 in combination with a suitable identity-management policy. For example, an agent might 

20 state that all click stream data should be released under the pseudonym that the agent adopts 

21 for a particular transaction, i.e. all click stream data with amazon.com should only be 



22 associated with my "buying books" pseudonym. An altemative policy might state that cHck 

23 stream data should be stored under a unique pseudonym, and not identified with any of a 

24 user's other pseudonyms. The agent might then allow a vendor to perform limited queries 

25 on that data, for example only query information related to particular domain names. Many 

26 variations are possible: e.g. use a unique pseudonym for each new URL domain, i.e. 

27 whenever a user skips to a new site, submit click stream data under a new pseudonym. 

28 Click stream data can be subject to random perturbation, just like standard data— for 

29 example removing time-stamp information and adding noise to the URLs that a user clicks. 
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1 There may be other click stream data release policies worth considering outside 

2 the preferred embodiment discussed above. For example, Intermind's patent number 

3 XXXX, entitled XXXX, provides for the release of a user's information according to the 

4 terms and conditions of the user's own data disclosure policy. 

5 Such an arrangement could be further enhanced by conditioning the quality of the 

6 data released by the vendor to the user on the strictness of the user's own data disclosure 

7 policy - users could then be rewarded to share more of their clickthrough data. Various 

8 levels of security could also be guaranteed to the user releasing such information - for 

9 example the data perturbation technique could be used to ensure that the vendor only 
1 0 receives aggregate information about his visitors. 

11 

12 9.4 Agent-Agent Data Management 

13 It is important that an agent that submits data to the central SDI data warehouse also 

14 maintains careful control over the data that is directly released to other agents through one- 

1 5 to-one interactions. It is necessary to prevent a '"black-market" in data. Furthermore, a user 

16 might simply prefer that another agent (for example representing a vendor) does not know 

1 7 certain pieces of information. 

1 8 With respect to preventing a black market in information about a user, it is important 

19 to prevent two different agents linking the identity of an agent under two different 

20 pseudonyms, based on comparing information provided by an agent under each pseudonym. 

21 We do not propose a technical solution to prevent these agents exchanging information 

22 (outside of SDI) about the agent when this type of Unking is possible. Such violations can 

23 not only affect a user's privacy, but might also decrease the value of information provided to 

24 the SDI data warehouse, since information can be readily exchanged between agents outside 

25 of the constraints of SDI. 

26 Fundamentally, the policy under which an agent handles data release to another 

27 agent is no different from the policy with which data is released to the central SDI data 

28 exchange. This is a special case, in which the agent knows that it is providing explicit 

29 permission for an agent (specifically the agent with which it interacts) to receive all 
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1 information that it releases. As indicate above, the pseudonym and the data release to 

2 another agent can be determined by certificates that the agent is able to present, and an 

3 agent's local data and identity management policies. 

4 For example, suppose that the policy defines that certificate A confers the right to 

5 receive a persistent pseudonym, and also receive links to the pseudonyms in set PI . Suppose 

6 the certificate B confers the right to receive an anonymous pseudonym, and receive no links, 

7 and certificate C confers the right to receive a persistent pseudonym, and links to 

8 pseudonyms in set P2. Finally, suppose an anonymous profile is the default. Now, suppose a 

9 vendor presents certificates A and C. This vendor receives a persistent pseudonym, and links 

10 to pseudonyms in the union of sets PI and P2; a vendor that presents A and B receives a 

11 persistent pseudonym and links to pseudonyms in set PI; and a vendor that presents no 

1 2 certificates receives an anonymous profile and no links to other pseudonyms. 

13 

14 9.5 Light Clients: Web-Centric Data Management 

1 5 In this section we describe a variation that pushes data management to a centralized 

1 6 web-server, so that "lighf ' 

17 -mobile computing devices can achieve the same fiinctionality as a more powerful desk-top 

1 8 computer. The convergence of telecommunication and computation technologies is leading 

19 to many new mobile devices, but they often have limited computational resources— 

20 processing power, memory, storage space, battery life-time. It is an interesting problem to 

21 provide these mobile devices with general computational abilities, for example leverage 

22 centralized computation to do such compute-intensive tasks as data mining and information 

23 extraction. 

24 We explain how the fiinctionality of the client-side proxy agent, for example in 

25 managing the identity and profile information of a user as he/she interacts with other agents 

26 in a networked environment, can be pushed to a central server in the system of Secure Data 

27 Interchange. This is useful in the case of a light client with limited -data storage and 

28 information processing capabilities. This enables a user to maintain a persistent SDI profile 

29 across different client machines, for example at work and at home. The profiles and 
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1 pseudonyms that an agent uses to interact with other agents can be stored in a central 

2 computational server, with remote user access. Alternative technologies, such as smart-card 

3 technologies, might allow information about an agent to be physically stored with a mobile 

4 agent, but use central servers and local compute devices to perform computation. 

5 The first step is to support user-identification, for example via a mobile key-card 

6 [Chaum 85; Chaum 91], password and question-response, a voice-test, an iris-scan test, 

7 etc. With this, the client's proxy agent can authenticate its identity to the SDI profile 

8 management server, and request that the profile manager initialize a personalized 

9 interaction session with another agent. Consider for example a physical SDI device in a 

10 store, that requests notification whenever agents with light SDI clients are in its physical 

1 1 proximity. At this stage the light client and initiate an exchange of information between 

12 the SDI store agent and the SDI central servers, and receive the benefits of a personalized 

1 3 interaction. 

14 Figure 12 illustrates a sequence of steps that can allow a light client to execute a 

1 5 customized interaction with another agent. Suppose agent 1 is a light client. Initially 

16 agent 2 contacts agent 1, requesting profile information so that agent 2 can provide a 

1 7 customized service to agent 1 . Agent 1 receives the request, and contacts the SDI profile 

1 8 management server, which implements the functionality of an agent's data management 

19 and identity management policies, and provides an identifier for the appropriate agent 

20 pseudonym to agent 2. Agent 2 can then request information about agent 1 directly fi-om 

21 the central SDI server, and finally provide personalized information and services to agent 

22 1. 

23 The pending patent application "A System for Location Enhanced ..." [ FILL IN 

24 NAME AND P atcn t ATENT AppHcation #09/314321 1 describes a method to identify a user 

25 based on location, which can allow automatic detection of close SDI-enabled agents based 

26 on physical proximity. The methods taught in the LEIA patent also suggest the use of a 

27 common user identifier, which could via simple look-up act as the Unique User identifier in 

28 the central SDI database. Other biometric variations, e.g. via his scan technology promise to 

29 allow personalized interactions between people and other agents that they approach in the 

30 physical world, with sessions automatically configured based on identification and 

31 principles of consent. Location based filtering can be further used to allow relevant 
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1 information to be delivered to a user based upon his/her physical location. It is also possible 

2 to pre-cache personalized information directly to the user's client (and server) thus 

3 overcoming the bandwidth bottleneck or wireless connections. 

4 Web-centric profile management can be used in an environment of mobile users 

5 that interact with many different computational devices, for example ATM machines, point- 

6 of-sale terminals, etc. A simple variation of SDI allows a user to allow a machine with 

7 which he/she interacts to be automatically configured for a personal session, based on 

8 carefully controlled queries fi-om that machine to the central SDI data warehouse. A 

9 common '"user identifier" be it cards, codes or biometrics can be used to identify and 

10 personalize the local SDI client machine. The user may also be identified during off-line 

1 1 transaction via his/her credit or debit cards, for example on ATM machines and POS kiosks, 

1 2 providing promotional offers and coupons. 

13 

14 9.6 Smart Cookies 

1 5 Current practice in web-browser based consumer-to-business electronic commerce is 

16 to use cookies, which are identifiers placed on a user's hard drive, to identify a user across 

17 an extended period of time. For example, if I access the New York Times fi-om my home 

1 8 personal computer on Monday, and then again on Tuesday, the New York Times server can 

1 9 identify that I am the same individual and build a profile of my interests, i.e. the new stories 

20 which I choose to receive first each day. This type of information about all of the users that 

21 read the Times can allow collaborative-filtering type techniques and personalization of 

22 information in the fixture, such that my "fi-ont page" is different from the front page of 

23 someone else. 

24 However, cookies have the unfortunate side effect of allowing an individual to be 

25 tracked across the web pages of different vendors, for example across the web page of the 

26 New York Times ( www.newvorktimes.com ) and Amazon (www.amazon.com ), if the 

27 Times and Amazon both embed content from the same third party in their pages. This 

28 happens, for example, with the DoubleClick advertising network. Doubleclick 

29 (www.doubleclick.com) operate a virtual network of pages, and can track a user across any 
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1 page within their network, and gather a very comprehensive user profile. Although the 

2 cookie mechanism is designed so that only vendors with the same domain name can access 

3 cookies on a user's hard drive, they can easily be used to profile users across multiple 

4 vendors, for example with a double-click style network that embeds a universal advert 

5 server within each page. 

6 The system of SDI allows controlled personalization, such that a proxy-automated 

7 log-in session where the proxy presents a user's pseudonym to a vendor allows that vendor 

8 to track a user over time at its own web site, but a vendor cannot track a user across web 

9 sites. The SDI client-side proxy agent will disable cookies in their current form (although 

10 introducing "smart cookies" to retain the initial functionality provided by cookies in 

1 1 Netscape's description, that of a stateflil interaction with a user). Furthermore, vendors can 

12 still perform collaborative-filtering style data-mining across different data sets fi-om multiple 

1 3 vendors, but only with the explicit authorization of owners of that information, as presented 

1 4 by price-rules associated with that data in the main data warehouse. 

15 Netscape, Inc. [see Netscape.com technical notes for developers] have proposed a 

16 method called "safe cookies" to retain the statefiil interactions that are an essential part of a 

17 good e-commerce interaction (supporting shopping baskets, for example), but without the 

1 8 drawback of tracking users. Our smart cookie mechanism is similar, allowing stateful HTTP 

19 sessions without allowing a user to be profiled across multiple sessions. In its basic form 

20 HTTP is anonymous, there is no way to differentiate one request for information fi-om 

21 another request for information. The cookie mechanism was designed to overcome this 

22 problem when it is useful to display consistent information to a user over a sequence of 

23 "clicks", for example to implement a "shopping basket" in a on-line e-commerce site. An 

24 altemative mechanism is to embed codes in the URL itself, with the code" mechanism. 

25 We propose a smart cookie, that is stored on a user's hard drive and provided with every 

26 HTTP mechanism sent to a vendor, but deleted as soon as the user changes his/her 

27 current context and goes to another URL domain name. For example, the New York 

28 Times can write a smart cookie to the user's hard drive to associate that user with HTTP 

29 requests while the user does not change context and go to another web site. However, as 
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1 soon as the user enters the amazon.com URL into his/her browser the cookie is 

2 permanently deleted from the user's hard drive. Essentially, the solution must allow only 

3 temporary cookies, which expire at the end of a "session", as defined by the client 

4 machine. The temporary cookies provide stateful interactions in a TCP/IP system as with 

5 cookies, but expire at the end of a session. 

6 Cookies are also used at present to allow a user to automatically and seamlessly 

7 log-in to a web page. We can avoid any loss of convenience to a user with automatic 

8 methods for log-in to remote servers, for example via the Janus/LPWA [BGGMM97; 

9 BGGMM98;GGMM98] or W3C proposals [CR98; RC99; W3C-0PS 97]; essentially the 

10 pseudonym and an associated password that a user adopts for a vendor allows log-in to 

1 1 that vendor. 

12 Also important when supporting a system that allows a user to browse 

13 pseudonymously is that the physical attributes of a network system are removed of their 

14 identifying characteristics. For example, another role of client-side data management agents 

15 is to strip the 'from' field in a HTTP/TCP message. 

16 

17 9.7 Implementation Details 

18 In an Internet browser environment the client-side proxy agent that provides 

19 distributed data management for an agent might be implemented as a plug-in into the 

20 browser, that can for example be downloaded from a central SDI server. The browser is then 

21 configured to use the SDI proxy as its proxy, and the SDI proxy itself connects through a 

22 user's ISP- (or other intranet gateway) to the Internet, and on to other vendors. 

23 The user provides his/her SDI proxy with personal information, such as his/her 

24 name, mailing address, and e-mail address. The client-level proxy registers then registers the 

25 user with the central SDI server, providing the server with the name, address and e-mail 

26 address of the user. Other basic user information might include demographic information, 

27 for example a users job, marital status etc. The client proceeds to automatically generate a 

28 unique SDI user ID code, and a private key to allow fiiture authentication of its log-in. 

29 
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1 The client can create a unique public key/private key pair. This key pair can be 

2 generated only once for a person, and although the central SDI user ID server does not know 

3 the key pair, the server can verify that a key pair is only generated once-- because a new user 

4 must present proof of identity to establish an account. The client generates a unique user 

5 identifier, UUID, for example with the methods taught in [Chaum 85; Schneier 92]. The 

6 UUID can then be blinded and signed to certify that a user is registered with SDI, using 

7 Chaum's technique of blinded signatures so that the certifying agent does not the identity of 

8 the UUID that it signs [Chaum 85, Chaum 92]. The client-level proxy can remove the 

9 blinding factor, to compute a signed UUID that it uses when it is necessary to generate new 

1 0 pseudonyms and request new certificates. 

1 1 The client-level proxy can now sign messages with its private-key, and provide the 

12 signed to UUID, to verify that (1) the UUID represents a validated user; (2) it is the client- 

13 level proxy authorized to act for the user, because it has the private-key associated with the 

1 4 UUID. The client-level SDI proxy uses the private key to authenticate messages that it sends 

1 5 to other modules within SDI, such as Pseudonym administering servers. The unique user ID 

16 for a user does not carry any information about the user, its sole purpose is to provide a 

17 unique identity. The unique UUID can also be used to generate new pseudonyms for users 

18 that are certified one-time for a particular vendor, so that the user certifies that he/she 

1 9 maintains the same profile for all interactions with a vendor. 

20 At this stage the central SDI server might verify the identity of the user, and also 

21 check that the user is not already registered with SDL The method for verifying the identity 

22 of a user could include requesting that the user provides his/her social security number, or 

23 some other institutional solution that is used for this purpose. In the future we could 

24 envisage an electronic system for such an identity procedure, but the method might require 

25 for the user to execute this initial step in person with the presentation of a recognized photo 

26 ID. The central SDI user ID server maintains a database of all users that are registered with 

27 SDI, and checks that that the user is not already registered with the system of secure data 

28 interchange. The central SDI proxy may also provides the user with a signed certificate of 

29 some universal identifier, such as its Social Security Number, that the user can use to 
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1 generate other certificates from certifying agencies, to be able to gain certificates under 

2 pseudonymous identities. 

3 

4 9.7.1 Initializing Identity and Data Management Policies 

5 The client-side SDI proxy might provide a rule-based interface to allow a user to 

6 select from a menu of defaults an appropriate profile management policy, or to configure 

7 with the aid of a decision tree an appropriate profile management policy for a user. 

8 Profile management policies define how a user will interact with various classes of 

9 vendors (depending on the nature of the business that the vendor is engaged in), the kinds 

10 of uses to which the transactional information that a vendor collects can be put to, and the 

1 1 amount of information that a vendor which collects profile information about a user is 

12 authorized to release. The client-level proxy manages a user's interactions with vendors, 

1 3 to keep them within desired policies. 
14 

15 9.7.2 Generating a New Pseudonym 

16 The method of blinded signatures [Chaum 85; Chaum 92] provides a usefiil 

17 technique to generate new pseudonyms for a user, without any centralized database that 

1 8 stores pseudonyms. The client-level SDI proxy can generate a new identifier, comprised of a 

19 sequence of bits, that will be unique with a high degree of probability. The identifier is 

20 "blinded" and then submitted to a trusted-third party to be authenticated for use as a 

21 pseudonymous identifier. When authenticated the blinding factor is removed, and the final 

22 signed pseudonymous ID can be used as a new identifier. The signature can allow a user to 

23 associate certificates with that identifier, and also to verify that the user has only a single 

24 pseudonymous ID with a particular vendor. 

25 Pseudonym administering authorities (PAS) cannot build dossiers of the 

26 pseudonyms, because users submit "blinded" identifiers. The only information that a PAS 

27 has is the list of unique vendors that a particular user has registered with. The pseudonym 

28 administering server can be operated by an agent with a trusted relationship with a particular 

29 vendor. 
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1 Every SDI user has a unique identifier, a UUID, that is presented to the PAS with 

2 the new pseudonymous identifier to be validated. The PAS can verify that this is the first 

3 pseudonym for a particular vendor. Each Pseudonym administering server has a public key / 

4 private key pair (PKPAS, SKPAS) for each Vendor for which it validates new pseudonyms. 

5 A signed pseudonymous identifier, signed with the private key of PAS, verifies that the 

6 pseudonym is valid. Cryptographic techniques ensure that the signature cannot be falsified, 

7 and allow another party to verify the signature with the public key of the PAS. This enables 

8 a vendor that receives the pseudonym to validate that the pseudonym is unique for the user, 

9 to enable persistent interactions across multiple sessions. 

10 An agent can use its pseudonymous identity to initialize transactions with a vendor, 

11 and also to encrypt messages. However, it may be more efficient to exchange future 

1 2 messages with a shared key pair — this is more efficient to implement that an asynchronous 

1 3 key pair cryptographic solution. Messages can be encrypted with the shared key, that only 

14 the user and the vendor know. This (1) validates that the message is fi"om the sender; (2) 

1 5 ensures that only the intended recipient can read the message. 

16 9.7.3 Automatic Client-Side Profile Management 

17 When a user clicks to a new URL the SDI proxy agent must determine (a) the 

1 8 identity to adopt with the vendor; and (b) the profile-management policy to adopt with the 

19 vendor. The first-step can be performed by local look-up, in a stored table of the vendors 

20 that the user has interacted with. Should the vendor be a new vendor, then it is necessary to 

21 implement the identity-management policy based on certificates provided by the vendor, 

22 and then either use an existing pseudonym or alternatively adopt a new pseudonym. 

23 With an appropriate pseudonymous identifier the proxy agent can connect to the 

24 vendor, sending the vendor its signed identifier to identify itself The proxy server continues 

25 by sending the data privacy policy for the user with this vendor, signed with the private key 

26 for the pseudonym. This serves three main purposes: (1) it demonstrates to the vendor that 

27 the user is indeed the owner of the public key PKP, because the user has the secret key that 

28 is associated with it; (2) it informs the vendor about the data-privacy policies that the user 

29 requires; (3) whenever the vendor submits information about transactions with this user to 
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1 the central SDI server it must also submit this certificate to verify that it is following the 

2 user's guidelines. 

3 The client-side SDI proxy agent might also provide a "connection-certificate" to 

4 provide the vendor with certain abilities to access information about the user in the central 

5 SDI data warehouse, as described in the earlier section. When a user connects to a site and 

6 provides a certified public key, the first-level proxy server also provides a time-stamped 

7 certificate of connection, S( (PK*V, T), SKP), where T is the current time, PK*V is the 

8 unique public key of the vendor, and SKP is the secret key of the user for the pseudonym 

9 that it uses with the vendor. This "connection certificate" is used by the vendor to request a 

1 0 profile-release fi:-om the central SDI server. 

1 1 The proxy agent than implements the profile-management policy, as it relates to the 

12 certificates presented by the vendor. First, the agent might submit the basic profile 

13 information to the vendor, for example a user's age, nationality, state, sex — anything a user 

14 is happy for any vendor to know. This is the basic profile that is configured by the user 

1 5 during initial registration with SDI. Later, the vendor might request profile information, that 

1 6 can be provided if the vendor is authorized to receive such information. 

17 

18 9,7.4 Leveraging Existing Standards 

19 The architectural fi"amework outline above can be implemented with a number of 

20 existing technical methods. One approach is to use the Extensible Markup Language (W3C- 

21 XML) to encode information exchanged between client agents and vendor agents, for 

22 example profile information and requests for information. This has been suggested by the 

23 W3C consortium. The extensible Markup Language (XML) proposal of the Worldwide 

24 Web Consortium working group on SGML provides an ideal standard for representing such 

25 information. XML allows meta-content to be included with documents, -machine-readable 

26 information that enables documents to be processed by client software. Augmenting web 

27 documents with structured information enables clients to respond to requests for profile 

28 information. XML can represent rich data structures, and that allows a grammar to be 

29 defined for information that allows data to be automatically verified for correctness. 
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1 Example: An XML Representation for a Profile Request Message 

2 A vendor might request profile information from a client-side SDI proxy agent. A 

3 vendor sends a 'Request Profile' message, and the client-side SDI proxy agent responds 

4 with a 'Profile Update' message, that contains profile information, in accordance with a 

5 user's profile management policy. The request-response mechanism can be implemented 

6 using the standard HTTP Post/Response mechanism in conjunction with XML message 

7 types. The 'Request Profile' message can be represented in XML as: 
8 

9 <?XML version = "1.0" ?> 

10 <?xml : namespace ns = "http://www.sdi.com" prefix = "SDI" 

11 ?> 

12 <!doc> 

13 <SDI :Request> http://www.some_vendor.com </SDI :Request> 
14 

1 5 and the SDI proxy agent's 'Profile Response' message can be represented in XML as: 
16 

17 <?XML version = "1.0" ?> 

18 <?xml : namespace ns = "http://www.sdi.com/clientX12345" 

19 prefix = "SDI" ?> 

20 <!doc> 

21 <SDI:Update> 

22 <SDI:Profile> 

23 <SDI:Item> (1231, 0,453) </SDI:Item> 

24 <SDI:Item> (1041, 0.034) </SDI:Item> 

25 </SDI:Profile> 

26 </SDI:Update> 

27 

28 An illustrative Docximent Data Type (DTD) for an SDLProfile element type is presented in 

29 the next section. The XML messages are included in the body of standard HTTP 

30 Post/Response messages. We limit the performance degradation caused by out-of-date 

3 1 profile information that is stored within web pages of on-line vendors by associating "out- 



Page 99 of 381 



SUBSTITUTE SPECIFICATION 



1 of-date" time stamps with the profiles that are provided by the central SDI server. This 

2 mechanism is similar to the "expiration time" tag of a Netscape Cookie message. The 

3 frequency with which profile updates need to occur will depend on the speed with which 

4 profile information changes. The "out-of-date" time stamp can be included as an additional 

5 element in an SDI:Update message. 

6 The system as outlined above can be implemented within the current HyperText 

7 Transfer Protocol (HTTP), as a sequence of challenge/response pairs between clients and 

8 servers. The HTTP Post/Response mechanism allows clients and servers to exchange data, 

9 and this data can be an instance of an XML Document Type, within the body of a HTTP 

1 0 message. The HTTP protocol is the underlying mechanism, with SDI messages contained 

11 in the body of the HTTP Post and HTTP Response as XML documents, 

12 

1 3 Example: A Possible XML Representation of a User profile 

14 The World Wide Web Consortium (W3C) SGML working group developed XML 

1 5 (extensible markup language) to provide an open and extensible grammar for structured data 

16 [XML]. An XML document has an associated schema definition to enable an XML-enabled 

1 7 browser to validate the structure of XML data automatically. A Schema in XML is called a 

1 8 Document Type Definition (DTD), and defines the names of tags, their structure, and their 

19 content model. XML allows the DTD for an XML file to be identified through a Universal 

20 Resource Indicator [URI] in the header of the file (see below). XML also allows URIs for 

21 mobile* code resources to be referenced, in order to enable a client to process embedded 

22 XML data. An XML document must be well formed, and in order to be well formed the tags 

23 must form a tree structure. In addition, the DTD allows the structure of an XML document 

24 (an instance) to be validated against a particular schema. Senders and receivers must only 

25 send valid SDI files. Each SDI message is a valid XML document. 

26 We provide an example XML instance and part of a Document Type Definition for 

27 use within the system of SDL We assume in this example that profile information is 

28 represented as a list of attribute- value pairs within an XML document. An attribute is 

29 defined by a numeric code, and the value defines the weight of the attribute. For example: 
30 



Page 100 of 381 



SUBSTITUTE SPECIFICATION 



1 <?XML version = "1.0" ?> 

2 <?xinl : namespace ns = "http://www.w3.org/0PS/0PS" prefix := 

3 "OPS" ?> 

4 <?xml : namespace ns = "http://www.sdi.com" prefix "SDI" 

5 ?> 

6 <!doc> 

7 <SDI : Prof ileData> 

8 <SDI : Location> 

9 <SDI :Geocode> 12321561 </SDI : Geocode> 

10 <SDI :DigiMap> http: //www.digimap/?12321561 

11 </SDI :Digiiyiap> 

12 <0PS:Zip> 19103 <SDI:/Zip> 

13 <SDI : /Location> 

14 <OPS : Demographio 

15 <OPS: Gender > F < /OPS : Gender > 

16 <OPS:Age> 26 </OPS:Age> 

17 <OPS:Income> 50000-75000 </OPS : Income> 

18 < /OPS : Demographi c > 

19 <SDI:ID> 

20 <SDI :Pseudonym> P12543 </SDI : Pseudonym> 

21 <SDI:PublicKey> 12453246129421 </SDI : PublicKey> 

22 </SDI:ID> 

23 <SDI:Profile> 

24 <SDI:Profile-item> (1242, 0.546) </SDI : Prof ile-item> 

25 <SDI : Prof ile-item> (56 , 0 . 045) </SDI : Prof ile-item> 

26 </SDI:Profile> 

27 </SDI : Prof ileData> 
28 

29 The Document Type Definitions for this docximent are specified in the header, and 



30 include URIs to a DTD of the Open Profiling Proposal of the W3C, and also a DTD of the 

3 1 Secure Data Interchange. The OPS DTD is used to boot strap the SDI DTD, providing tags 

32 for common profile information, such as 'Gender', 'Age', Tncome', etc. The section of the 
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1 SDI Document Type Definition that is used in the above XML fragment is presented below. 

2 It makes reference to tags defined in the OPS DTD, and the RDF (Resource Description 

3 Framework), a W3C proposal to standardize the structure of Digital Type Definitions for 

4 XML documents. XML Name spaces [NS] provide a method for unambiguously 

5 identifying the semantics and conventions governing the particular use of property-types by 

6 uniquely identifying the governing authority of the vocabulary, for example OPS and SDI in 

7 the example above. The URI for a schema can contain a human and machine-readable 

8 description of an XML schema. 
9 

10 <1 ELEMENT SDI : Prof ileData (SDI : Location? , 

11 OPS: Demographic?, SDI: ID?, SDI : Prof ile?) > 

12 <! ELEMENT SDI: Location (SDI : Geocode? , SDI:DigiMap, 

13 OPS: Zip?, OPS: Address?) > 

14 <1 ELEMENT SDI : ID (OPS: Name?, SDI : PublicKey? , 

1 5 SDI : Pseudonym? ) > 

16 <1ELEMENT Profile RDF : list<SDI : Prof ile-item> > 

17 <! ELEMENT SDI:Geocode #PCDATA > 

18 <! ELEMENT SDI:Digimap #URI > 

19 <! ELEMENT SDI : PubicKey #PCDATA > 

20 <1 ELEMENT SDI : Pseudonym #PCDATA > 

21 <1 ELEMENT SDI : Prof ile-item (SDI : Attribute-ID, 

22 SDI : Attribute-value) > 

23 < 'ELEMENT SDI : Attribute-ID #PCDATA > 

24 <1 ELEMENT SDI : Attribte-value #PCDATA > 
25 

26 The tag '#PCDATA' is used here to represent numeric or textual information, '#URr 

27 declares that an instance of element *SDI:Digimap' must be a valid URI pointer. 
28 

29 There are a number of other related W3C proposals. The W3C proposal [W3C- 

30 MCF] -for a Meta Content Framework (MCF) suggests a particular structure for the 

31 description language for web pages, to enable schema to be shared and re-used. This 
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1 proposal is incorporated into the W3C [W3C-RX)F] Resource Description Format standard 

2 (RDF). The W3C proposal [W3C-OPS] for an Open Profiling Standard (OPS) describes a 

3 system for profile exchange between two parties, building on XML and MIME standards. 

4 The W3C proposal on privacy and profiling [W3C-Privacy] on the Web extends the vCard 

5 [Vcard] schema for electronic business cards to include profile information, and suggests 

6 that profile information can be stored and managed locally, with Client-server exchange of 

7 personal information as required (using the HTTP challenge/response mechanism). The 

8 Resource Description Framework (RDF) enables the encoding, exchange, and reuse of 

9 structured metadata. RDF is an application of XML, with additional constraints to allow for 

10 Data Type Definitions (DTDs) to be published, and interchangeability across different 

1 1 communities. The ability to standardize the declaration of vocabularies will encourage the 

12 reuse and extension of semantics among different information commmities [Mil 98]. RDF 

13 is a W3C proposed standard for defining the architecture necessary for supporting web 

14 metadata. RDF is an application of XML that imposes structural constraints to provide 

1 5 unambiguous methods of expressing semantics for the consistent encoding, exchange, and 

16 machine processing of metadata. RDF additionally provides means for publishing both a 

17 human-readable and machine-readable vocabularies designed to encourage the exchange, 

1 8 use and extension of metadata semantics among disparate information communities 
19 

20 1 0. Methods for Data Perturbation 

21 In this section we introduce data perturbation methods to augment data values 

22 with randomized noise, to allow queries to tradeoff price and quality, and to allow a user 

23 to protect his/her identity by hiding revealing details of submitted data elements. 
24 

25 The randomization of data occurs in two places in SDI, first a client-side SDI agent can be 

26 programmed to add noise to data as it is submitted to SDI, to provide an absolute guarantee 

27 that no malicious party, even for example an employee of SDI with privileged access to the 

28 SDI data warehouse, can benefit fi-om highly sensitive information. Second, the data 

29 repository in the central SDI data warehouse can be programmed via price-rules for access 
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1 to data records to allow randomized information to be released in response to queries, 

2 perhaps for a cheaper price. 

3 The method of random data perturbation allows an agent to protect the 

4 pseudonymity of profile information which is released within the system of Secure Data 

5 Interchange in response to queries executed on the central SDI data warehouse, and also 

6 with respect to information that is provided to other agents (e.g. from consumer client 

7 machines to vendors' servers in e-commerce applications) during direct interactions. 

8 Information is either adjusted slightly, through the addition of small amounts of noise, or 

9 rounded or binned in some way — ^to protect the identity of an agent if it is also releasing the 

1 0 same information under other pseudonyms. The goal in the method of data perturbation is to 

1 1 only adjust data by as much as necessary to protect the privacy of an agent, so that the value 

1 2 of data for personalization and user-profiling is retained. 

13 As an example, suppose a user lists its last 10 compact disk purchases, their prices, 

14 and the dates of purchases to two different on-line music vendors. Suppose the agent uses 

15 different pseudonyms with each vendor. Given information about the distribution of CD 

1 6 purchases over the population of agents, the vendors can compute the probability that the 

1 7 pseudonyms relate to the same agent. If it is quite likely that it is the same agent, the vendors 

1 8 can now exchange information about that user, and even collude on price. Clearly, the more 

19 revealing the information (e.g. providing more information, location of purchase, last 4 

20 digits of credit card, etc.), the greater the chance of identifying a user. 

21 However, the system of SDI is built around the concept of gaining value from the 

22 release of information, and maintaining careful control over the particular information 

23 available to other agents. The method of random perturbation allows information to be 

24 released without losing control over the ability of another agent to link the information with 

25 other pseudonyms that an agent might use. 

26 The main focus here is on random data perturbation, or rounding etc. as a method to 

27 prevent the identification of an agent and the linking of pseudonyms. This is critical to the 

28 successful operation of a system of pseudonymous data exchange, such as that implemented 

29 within SDL 
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1 Figure 13 illustrates how an agent's price rule can usefully contain an additive cost 

2 to reflect an agent's preferences to protect its protection level during query execution. For 

3 example, highly sensitive information can have a high price, while other information can 

4 have a low price. This additive cost to account for an agent's protection against the linking 

5 of its pseudonyms can be universal across all data records. 

6 

7 We propose a technique to allow a user to control information released and secure a certain 

8 protection level, which is an indication of the probability that its true identity can be 

9 recognized from information that it releases by an adversary with a perfect copy of the 

10 agent's true profile. The randomization method adds a level of noise to information to 

1 1 provide protection, based on the amount of information that is released and the information 

12 that is present in a database because of data records submitted by other agents. This is 

13 illustrated in Figure 14, which shows qualitatively that if there are many data records then 

14 the agent needs to add less noise to achieve the same level of protection as with less data 

15 records. 

16 The method of random data perturbation adds noise to data records to prevent an 

1 7 adversary with accurate information about the 

18 values of certain fields in the data record under another pseudonym from linking the 

19 pseudonyms, and reasoning that the two users are the same. Alternatively, we can round or 

20 bid data values, this has a similar effect. 

21 Basically, we add enough random noise to make the record sufficiently 

22 indistinguishable from other data records. There are two modes of protection, that depend on 

23 the amount of information known by the adversary: 

24 A. [Strong Protection] Assume that the adversary knows that an agent A_l with 

25 data records P submits data into a database; i.e. assume that the adversary 

26 knows for sure that one of the data records in the database relates to agent 

27 A_l. 

28 
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1 Strong protection is only possible if there are enough data records from other 

2 agents to allow agent A_l to add noise to its own data and make it sufficiently 

3 like that one of the other data records is the data of A_l; in particular the other 

4 data records must also be submitted with random noise perturbation, or rounded, 

5 such that it is possible that other data records are submitted by agent A_L 
6 

7 B. [Weak Protection] Assume that the adversary does not know that the agent 

8 A_l with data records P -has definitely submitted data into the database. 
9 

1 0 Weak protection is easier to achieve. It is only necessary to add enough random 

11 perturbation to data to make the number of possible data records over the 

12 population of possible data records that are supported with the perturbed data 

1 3 record large enough to prevent agent identification. 
14 

1 5 Randomized data is still useful within SDI for data mining and other applications, so 

1 6 long as the amount of noise which is added to records is small in comparison to the value of 

1 7 a record. For example, we can still perform correlation across fields with randomization so 

1 8 long as the randomization does not destroy any trends between fields. Randomized data is 

1 9 marked as such within SDI, and labeled with the degree of degradation, so that SDI can be 

20 aware of the number of records to get relevant accuracy levels, and can report accuracy to 

21 customers. There is a tradeoff between the level of privacy protection and the level of 

22 aggregation at which responses to queries become accurate. It is possible to add random 

23 noise to data but still allow data that is aggregated across multiple records to be quite 

24 accurate, so that usefiil data mining can be performed. Binning or rounding of data does not 

25 have the same effect. For example, assuming additive noise and additive aggregation, then 

26 randomized data from a number of agents can be aggregated to obtain an aggregate value 

27 (e.g. mean) quite accurately as the number of agents increases for noise perturbation with 

28 zero mean. 

29 Random perturbation of individual data records can provide a cheaper and more 

30 secure alternative to cryptographic techniques, such as secure fiinction evaluation, for 

31 providing information without compromising privacy [Schneier 92]. Randomized data is 
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1 secure to computational attacks and the loss or theft of private keys-because we degrade the 

2 data, and make access to any one data item virtually useless. Cryptographic techniques 

3 known in the art provide methods to compute aggregates or other values from encrypted 

4 information without first decrypting this information. However, the general-purpose nature 

5 of these methods makes them unnecessarily cumbersome for complex problems, hi 

6 particular, the communication and computation requirements of these methods when applied 

7 to the problem of aggregation result in an unacceptable overhead on the system. 

8 Finally, all cryptographic techniques are subject to compromise by successful 

9 attacks on the cryptographic scheme or by the loss/theft of private keys. Such problems are 

1 0 present in all uses of cryptography. In comparison, the method of random perturbation is an 

1 1 information-theoretic technique, and not subject to the same problems. 



12 10.1 Technical Details 

1 3 We propose one possible method to select an appropriate amount of noise to add to 

1 4 data. The noise can be added in two places: 
15 

16 1) At the agent's client machine as data is first provided to the central SDI data 

17 warehouse 

18 2) In the SDI data warehouse as queries are executed, with the SDI query execution 

1 9 engine implementing data perturbation for agents. 

20 With numeric continuous data we can select an additive noise term, for example 

21 sampled for example from a Normal distribution. The amount of noise is computed to 

22 provide an appropriate degree of confidence that an adversary with exact information about 

23 its attributes cannot identify the individual. For example, in a Normal distribution, the 

24 standard deviation that is required depends on the number of agents that have provided 

25 similar information, and how sparse the information is in its domain. The standard deviation 

26 is "tuned" to provide the appropriate level of privacy. We do not require that all data is 

27 perturbed from the same noise distributions. 

28 The amount of noise perturbation to add to a data record can be computed using an 

29 adversary argument, where we assume that an adversary knows the true values of an agent's 
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1 data, and may also (strong) know that the agent has submitted data to the database. We 

2 allow an agent to submit or release data with a random noise perturbation, and also can 

3 provide the service in the central SDI data warehouse in combination with price rules, to 

4 control the accuracy of data released to agents in responding to queries. An agent with true 

5 data X computes perturbed data X' with additive noise computed from distribution f, and 

6 submits the distribution f and the perturbed value X'. 

7 The problem is more difficult with discrete data, but we can instead select a new 

8 discrete element at random from a close neighborhood of the original data point [Section 

9 10.4]. In addition, with multi-attribute data, different, independently chosen noise terms are 

10 used for each field of a record that needs to be perturbed by the addition of noise [Section 

11 10.5]. 



12 10.1 .1 Single Attribute and Strong Protection 

13 Agent A_l has data X to submit to a shared database, e.g. the data warehouse in 

14 SDI. Alternatively, we can assume that the agent is about to send the data directly to another 

1 5 agent. Suppose in this example that X -is a continuous real number. 

16 _Suppose that an adversary knows that agent A_l will submit data record X, and the 

17 goal of the agent is to submit data X with enough random noise perturbation to provide 

18 some protection against identification. The level of noise that the agent needs to add to the 

1 9 record depends on the other data records already present in the database. 

20 The problem is to select an additive noise distribution f that will be used to perturb 

21 the value X, and compute a perturbed value X'. Let eps > 0 denote the agent's desired 

22 privacy level, the probability that the value X' was submitted by agent A_l given the data 

23 in the data warehouse and that one of the data records was submitted by an agent with true 

24 value X. 

25 For example, suppose the distribution is f = N(0,1), i.e. a Normal distribution with 

26 mean 0 and standard deviation 1 and the value X = 1. Assume that the random number 

27 generated by f, noise = +0.3. Therefore the perturbed value is X' = 1.3, and this is the 
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1 information that the agent submits to the database. Given this, an adversary can compute 

2 that a ex post distribution for the true value, g(X) = N(l,3, 1). 

3 Bayesian analysis can be used to compute an optimal parameterization for the 

4 random distribution, given a desired level of protection and information about the data 

5 already in the database, and the randomized perturbations that were added to that data. 

6 Assume that the database contains a set of data records submitted by agents, each with the 

7 submitted value X' and the noise distribution from which it was generated, f. With this 

8 information agent A_l can select an amount of noise perturbation. 

9 The goal is to compute Pr( Agent = A_l | true value = X), i.e. the probability that the 

10 agent that submits (perturbed value = X', noise distr. = f), is the agent with true value X. 

1 1 Using Bayes rule, this conditional probability is computed as Pr(A_l) x Pr(true value = X 

1 2 I A_l) / Pr(true- value = X). Each of these terms can be computed as follows: 

1 3 Pr(A_l ) This is the a priori probability that a random data record is submitted 

1 4 by agent A_l, and is equal to 1/N, for N records. 

1 5 Pr(true-value = X \ A_l ) This is the probability that an agent that submits (X', 

16 0 has true value X, and is computed from X' = X + f(d) as g(X) = X' - f 

17 Pr(true- value = X) This is computed as the sum of Pr(A_i) x Pr(X | A_i) over all data 

1 8 records, and represents the probability that any one of the data records was represents data 

1 9 with true value X. 

20 Agent A_l can now select parameters for distribution f based on this analysis, so that the 

21 probability that it is the agent to submit the new data record is less than eps, its desired 

22 protection level. 

23 The rule has the right behavior — the more data present in the system then the more accuracy 

24 an agent can use to submit its own information, for the same privacy level epsilon. Notice 

25 that the agent is more protected as: 

26 
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1 1 . Pr(A_l) decreases, i.e. with more data records in the database 

2 2. Pr(true-value= XI X% f) decreases, i.e. with more noise perturbation f 

3 3. Pr(true value = X) increases, i.e. there are more data points from other agents that 

4 might have true value X. 

5 The parameters for f, for example the mean and standard deviation in the case of 

6 noise generated from a Normal distribution, can be selected to set Pr(X' | true-value = X, f) 

7 = eps for the case that X' = X, i.e. when the random noise is zero. This presents the worst- 

8 case, assuming that distribution f places the most probability on zero noise. 

9 Finally, to compute parameters for f the agent requires aggregate information about 

1 0 the data in the database that has been submitted by other agents, hi particular, the agent 

1 1 needs Pr(X), the probability that any of the current data records could correspond to data 

1 2 with true value X. In some cases it is important to receive this information without revealing 

1 3 true value X. 

14 In a simple case, for example when a trusted intermediary such as SDI stores 

15 information provided by agents, the agent can simply poll SDI for Pr(X) before selecting a 

16 level of noise to use to perturb its information. Alternatively, when SDI is computing the 

1 7 level of noise perturbation to add dynamically as information is released in response to 

18 queries then the system of SDI can compute Pr(X) directly. In a more complex case, 

1 9 consider a problem where an agent is releasing information directly to an adversary, and the 

20 relevant set of data points are data that the adversary agent has already collected from other 

2 1 agents. In diis case the provision of information Pr(X) must be done within a secret-protocol 

22 where the adversary does not learn the value of X in the process. A straightforward way to 

23 achieve this is for the "adversary" agent to post aggregated information about the probability 

24 that a data record in its population has true value X, for a range of different values of X, and 

25 allow an agent to use anonymous look-up in a table. 

26 In summary, the following procedure can be used to select an appropriate level of 

27 noise to add to a data point: 

28 
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1 a. Choose a distribution family (e.g. Normal, Uniform, etc.), and let Par denote the 

2 parameters that define a specific distribution. 

3 b. Choose a level of privacy protection, eps where 0 < eps < 1. 

4 c. Request Pr(X) fi-om the database, i.e. the current probability that a perturbed (or 

5 otherwise) data record in the database has true value X. 

6 dr Compute parameters for the distribution to set eps = max_{X'} Pr(A_l | X', X, f) 

7 where X' is the value generated from f. 

8 d. 

9 10.1.2 Examples: Strong Protection 

1 0 (a) Uniform Additive Noise Perturbation Distributions 

1 1 Assume that every agent submits information fi-om a uniform noise distribution, 

12 centered around its true value. The decision variable in choosing a level of data perturbation 

1 3 when submitting new information is the range of the uniform distribution. 

14 Suppose agent 1 submits data point g_l ^ [4, 6], to denote that its perturbed value is 

15 X', and the value was computed with additive uniform noise U(-l, 1). Agent 2 submits data 

16 point g^2 = [4,6], agent 3 submits g^3 = [3,5], agent 4 submits g_4 = [3,6], and agent 5 

17 submits g^5 = [2,4]. 

1 8 Suppose that an adversary knows that user John has true value X = 2.5, and that an 

1 9 agent for John has submitted a data record. 

20 In this case the adversary can be sure that agent 5 represents John, because Pr(A_5 | 

21 X = 2.5) = Pr(A_5) Pr(x = 2.5 | [2,4]) / Pr(x = 2.5) = 0.2 * (1/2) / (0.2 * 1/2) = 1 . 

22 In comparison, for an adversary that knows that Mary has true value X = 5, then 

23 Pr(A_l I X = 5) = 0.2 * (1/2)/ (0.2 * Vi + 0.2 * Vi + 0.2 * 1/3) = 0.375, and similarly for 

24 agent A_2. The probability that agent A_4 is Mary is 0.25. 

25 Now, a new user, Bill, with agent A_6 wants to provide information about its data X 

26 = 5, and wants to be sure that an adversary cannot determine its identity with probability 

27 greater than eps = 0.1. Let d_6 denote the uncertainty selected by agent A_6, and compute 
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1 an optimal d_6 as so that Pr(A_6 | x = 5), i.e. the probability that agent A_6 has true value x 

2 =5. This is computed as Pr(A_6 | x - 5) = 1/6 * (l/d_6) / (1/6 * 1/2 + 1/6 * 1/2 + 1/6 * 1/3 

3 + 1/6 * l/d_6) = 1/ (4/3 * d_6 + 1), and is less that eps for d_6 > 6.75. Therefore agent A_6 

4 should generate a perturbed value with additive noise computed with uncertainty 6.75, and 

5 can then be sure that its identity is protected. 

6 (b) Normal Additive Noise Perturbation Distributions 

7 Now, assume a normal noise distribution, and let sd_i denote the standard deviation 

8 selected by agent A_i for its noise distribution. The analysis is slightly more complicated, 

9 because the Pr(X | A_i) is now a fiinction of the position of X within the distribution, not 

1 0 just whether it is in range as with uniform distributions. 

1 1 In this case an agent chooses the standard deviation for its Normal distribution by 



12 assuming that the randomized value X' = X, i.e. that the random noise distribution generates 

13 zero noise. This is the worst-case, maximizing Pr(A_6 | X) because Pr(x | A_6) is 

1 4 maximized and the other terms in the Bayesian expansion are invariant. 



15 10.2 Rounding and Binning of Data as an Alternative to Random 

16 Perturbation 

1 7 An agent can gain the same benefits of random perturbation in a more static scheme, 

18 where data is rounded or "binned" into intervals, i.e. agents report only approximate 

1 9 information to other agents. This works for the same reason, mapping each released data 

20 value to more than one true value. 

21 The problem is to select buckets for information (i.e. intervals on data) so that there 

22 are enough data records in each bucket to provide the required level of protection against 

23 adversaries aimed at uncovering the identity of agents from the information that they report. 

24 The previous analysis extends to this case, but can be simplified. If an adversary 

25 knows that an agent has true value X, then its first task is to find the prototype value (or 

26 bucket) corresponding to the true value. The probability that an agent has the true value is 

27 the same for all agents that have posted values with the prototype value, and equal to 1/N_p 

28 where N_p is the number of agents with the prototype value. 



Page 112 of 381 



SUBSTITUTE SPECIFICATION 



1 The decision for agents about submitting information is also simplified: if (1/N_j)) < 

2 eps for the prototype that the agent's value maps into and a desired level of protection eps 

3 against an adversary, then select the prototype value in the interval and report information, 

4 otherwise report no information. 

5 In order to support agents with different levels of privacy-sensitivity the system of 

6 SDI can allow agents to select a degree of accuracy when submitting information — 

7 providing nested buckets. For example, we can allow an agent to specify that its true value 

8 can lie in one of a number of buckets, or equivalently in a single super bucket. The number 

9 of agents with true values in a particular interval is then computed as the sum of the agents 

1 0 that report values in an interval, and a weighted sum of the agents that state that their values 

11 are in one of a number of intervals, according to the total size of interval specified and the 

1 2 size of the current interval. 

13 A useful variation on this method is to control the amount and type of information 

14 released, but only releases accurate information. The degree to which a user can be 

15 identified if it submits information X to a vendor depends on the other agents that have 

16 submitted similar information. For example, if X is very detailed (e.g. my street address), 

1 7 then it is probable that no other agent has submitted the same information, and I will self- 

1 8 identify myself with that information. On the other hand, if X is quite abstract, for example 

19 my ZIP code, then it is quite possible that a number of other agents with the same ZIP code 

20 have already submitted and released the same information. The method discussed above can 

21 be simply adapted to allow a client-side SDI proxy agent, or the SDI data warehouse, to 

22 decide how much information to release in order to protect a user's identity, based on 

23 information about the data already in a database. For example, instead of my street address 

24 my agent could choose to submit my ZIP code. 

25 10.2,1 Example: Binning Techniques 

26 Suppose that an agent must decide whether or not to reveal its salary on the basis of 

27 information that has been revealed by other agents. The database supports intervals: 

28 <$20000, $20000-40000, $40000-100000, >$100000. The number of agents with each 

29 prototype value is currently 10, 12, 16, 5. 
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1 Now, suppose a new agent represents a user with salary $200,000 and privacy 

2 threshold eps = 0.1. The prototype values prevent an agent from stating the high value (> 

3 $100000) because there are less than 10 agents in the bucket. However, if the provider also 

4 allows agents an option, for example "my value is in bucket 40,000 - 100,000 or > 1 00000", 

5 then the agent can state that information safely. In this case, the probability that the agent is 

6 an agent with salary $200,000 is computed as its weight in the top valued bucket, divided by 

7 the total weight, i.e. 0.5 / 5.5 < 0.1 



8 This technique of binning information, or rounding information, is simpler to 

9 implement that random noise perturbation because probability distributions must neither be 

1 0 sent to the provider or maintained by the provider. However, the information is represented 

1 1 with a static accuracy which is hard to improve as the amount of data submitted increases. 

1 2 This occurs automatically in the standard version. 
13 

14 1 0.3 Adding Random Perturbations to Discrete Data 

1 5 Adding noise to discrete values is a little more complicated, because the new value 

1 6 must remain feasible. For example, in randomizing the name of a CD the new name must be 

1 7 the name of another CD, not some "made up" name. We need to add noise to make data 

1 8 elements "close" to the accurate values. With discrete data, such as the name of an artist, 

19 "close" must be defined within the correct metric. The appropriate metric is such that a 

20 "close" value shares many of the same characteristics. For example, it is not appropriate to 

2 1 assign a close value on the basis of a shared last letter in the first name, but it is appropriate 

22 to assign a close value on the basis of an artist from the same genre of music — from a 

23 "semantic cluster". 

24 Agents use discrete probability distributions to randomize data points. 

25 

26 For example, suppose that an agent wishes to reveal the name of the artist that 

27 recorded the last compact disk that a consumer purchased. An artist's name is best viewed 

28 as a point in "artist space", and therefore as a discrete value. It does not make sense to 

29 change a random set of letters, because the new "name" will not be the name of a valid 

30 artist. Instead, the concept of noise is to randomly choose a new name close to the current 
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1 name, i.e. choose a new feasible location in artist space. One reasonable solution for the 

2 names of recording artists is to define a neighborhood of artists that are close to the original 

3 artist, and select a new artist from within the neighborhood with equal probability. The 

4 metric that defines how close artists must be computed using a system that is common 

5 knowledge to the provider of information and the consumer agent, because the provider of 

6 information must be able to compute the distribution over true artist name, given a 

7 randomized name and probability distribution. We can define the probability distribution 

8 with a threshold in the distance d(namel, name2) metric, and the tag 'uniform' to indicate 

9 that each artist within the neighborhood was assigned an equal probability weight. A metric 

10 for artist names can be computed using clustering techniques, where artists are clustered 

1 1 according to the buying habits of consumers that purchase them. 

12 Semantic clustering that enables usefiil randomization of discrete field can be 

13 automated when goods are fi-equent purchase, high volume goods- where individuals 

14 purchase goods on multiple occasions, and more than one of the family of goods on a single 

1 5 occasion. However, it is possible that high price, low volume goods, should be randomized 

16 on the basis of expert analysis (for example new cars, computers...) ~ where an expert can 

17 extract key features of a purchase, and represent the purchase generically using either a 

1 8 single prototype good, or one of a set of approximately equivalent goods. 

19 Another approach to discrete data is to apply the "approximation" technique and 

20 allow agents to specify a genre of music for example, or a prototype value fi"om a semantic 

2 1 cluster. This is equivalent to stating a range of salaries. For example, the system of SDI can 

22 provide clusters for music, and allow a submitting agent to state the cluster of the artist for 

23 the CD that it just purchased instead of the name of the artist. 

24 1 0.4 Noise with Bundles of Information, 

25 In general agents will release more than one piece of information to other agents, in 

26 a bundle of information. Intuitively, when agents submit a bundle of information they open 

27 up more possibilities for adversaries to determine their identity, because a bundle of 

28 independent information reveals more about a user than a single piece of information. 
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1 With a couple of assumptions, we can apply the same technique of random 

2 perturbations. It is again required that an agent either has information about the distribution 

3 over data points present in the data base, or in the population at large. For example, consider 

4 an agent that has already submitted approximate information to a provider about its home 

5 ZIP code, annual salary, and model/year of car. The agent needs to decide on an appropriate 

6 level of randomization for new information about its profession. 

7 The required level of randomization depends on the number of other agents in the 

8 system that could have the same salary, ZIP code, car, and profession, given the randomized 

9 information that they have submitted. 

10 _The problem of computing the current probability that another agent in the database 

1 1 might have true data B is more difficult because not all agents will submit the same bundles 

1 2 of information, i.e. some agents might provide more information than others. 

13 An agent will add independent noise to each element of its data bundle so that 

14 bundles of information released under two different pseudonyms cannot allow the 

15 pseudonyms to be linked. Also, if it is important that my data not be revealing an agent 

1 6 might add a random term that is shared across all my data values so that for example all my 

17 salaries or all my CD purchases are aggregated, an adversary does not get an accurate 

1 8 picture of my preferences. 

19 Assume that each element of a bundle of information is randomized independently. 

20 For example, if agent 1 has provides information about values X_a and X_b then it 

21 computes perturbed X'_a and X'_b from adding independent random values from 

22 distribution f. This allows the probability Pr(X_a, X_b | Agent 1) to be computed for 

23 values X_a, X_b as the product of the two marginal random distributions. 

24 We compute the probability of (X_a, X_b) for an agent that has only provided one 

25 value, e.g. X'_a, we can assume that the value of the other element is independent of the 

26 value of X'_a and multiply by the a priori probability of X_b, over all agents that have 

27 provided information about their values for X'b and therefore X_b. 

28 
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1 The appropriate noise distribution f can be computed as before by setting the worst- 

2 case probability that an adversary can identify the agent to its desired protection level. 

3 10.4.1 Example 

4 Here is a simple example for a problem where the data is two-dimensional, with two 

5 features. Consider feature a, 'year of birth', and feature b 'car model'. Suppose that agent 1 

6 has submitted car model [VW Beatle, 0.1] to indicate that it selected a random car model 

7 from within a proximity threshold of 0.1; agent 2 has submitted car mode [Mercury 

8 Mistique, 0.05] and year of birth [1962 1968] to indicate that the year is somewhere in that 

9 range; and agent 3 that has submitted year of birth [1965 1975]. Now, agent Z, with true 

10 information (VW Beatle, 1972), computes a randomized data entry as agent 4, based on a 

1 1 privacy threshold of epsilon = 0.4 for an adversary with correct information about agent Z. 

12 Assuming that the Mystique is not within a threshold of 0.05 of the Beatle, agent 2 has 

1 3 placed on probability on its true car model being the Beetle. Also, assume that the proximity 

14 threshold of 0.1 on the Beetle implies that agent 1 has a Beetle car with Pr(Beetle | Agent l) 

15 =0.2. Finally, the probability that an agent over the entire population has a Beetle is 0.1. 

1 6 Furthermore, the probability that an agent in the population was bom in 1972 is 1/(7 + 1 1 ) = 

17 1/18. Therefore, agent Z must place probability P_z on (Beetle, 1 972) such that P_z / (1/18 * 

18 0.2) < 0.4, i.e. P_z < 1/225. To support this, the agent can randomize each data point with 

1 9 probability (1/225)^(1/2) = 1/15, i.e. randomize 1 972 with a uniform distribution of years [- 

20 7, +7], and select a threshold on cars greater than 0.1 to give a smaller probability than the 

2 1 0.2 achieved by agent 1 with a proximity of 0. 1 . 
22 

23 10.5 Bootstrapping A Data Set 

24 Bootstrapping is an important technique for the system of strong data perturbation, 

25 in which we assume that an adversary knows that a particular agent has submitted one of the 

26 data values in a data base, and knows the true values of that agent. 

27 
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1 A problem occurs at the start of a system, when there is little data in the database, hi 

2 this case it is often possible that an agent cannot reveal any information because no other 

3 agent's data can possibly represent the agent's true value. For example, if an agent with age 

4 18 is deciding a level of randomization, and there is currently a handfiil of ages in the 

5 database: {-[24, 28], [34, 38], [42, 46], [42, 44] } then the agent cannot submit a randomized 

6 value and distribution, because the range of implied true ages will always include '18', and 

7 be the only approximate information to include '18'. The agent cannot provide its age to the 

8 database. 

9 We suggest a simple technique to bootstrap the system. The method works in the 

1 0 case that there are a number of different reasons to decline to provide information to another 

1 1 agent in response to its query. An agent provides randomized data and a privacy level eps to 

12 the database, e.g. ([16, 20], 0.2), where [16, 20] is the range of possibilities for an agent's 

1 3 true age, and 0.2 is the desired privacy level. 

14 The SDI database can be configured to only release information when it can verify 

1 5 that it is safe to. Similarly, an automatic method on the client machine of a user can be 

16 configured to only release information when it is safe to do so. The problem that is solved 

1 7 here is that sometimes there is no reasonable amount of noise that can be added to a data 

1 8 value to protect a user's identity. 

19 Another technique to solve the bootstrapping problem could hold all data until it is 

20 safe to release information for the majority of data points, given the state privacy 

21 requirements of users etc. The measure of "safe" is defined by the information in the 

22 database and the privacy level specified by each submitting agent. A more advanced 

23 technique could introduce data periodically as new parts of the data space become 

24 populated, so that there is never an "active" under-populated part of the space. 



25 10.6 Verifying Noise Levels with Playback 

26 We can use a cryptographic technique to verify the distribution of noise that is added 

27 to data - and also to enable replay. "Playback ability" - the ability to reconstruct the original 

28 record from a noisy version of that record is important for a number of purposes. An 
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1 individual may want to obtain proof of a transaction for legal purposes and law enforcement 

2 agencies with appropriate warrants might want to examine original records. 

3 The client-side SDI proxy, or the central data warehouse, must keep a record of the 

4 non-randomized data X, and a method to verify that the randomized data was computed 

5 from data X. To generate a random noise value from a distribution f the agent can use a one- 

6 way "trapdoor" function trap on the object X to generate a seed for a pseudo-random 

7 number generator. The pseudo-random number generator then generates a sequence of 

8 random numbers that are used to create the random perturbation from a well-defined 

9 algorithm. Suitable trapdoor functions known in the art include the RSA encryption- 

1 0 decryption function. It is not necessary for all agents to use the same private/public keys. 

1 1 With this method it is possible to verify randomization and audit data release with 

12 stated levels of randomization. SDI can request that an agent provides: X, f, and the 

13 trapdoor function trap, and can use this information to validate X'. Note, that because trap 

14 is a one-way function the agent cannot fabricate different values of X that would give X' 

15 given random fiinction f. SDI can "playback" the noise perturbation and produce the noisy 

1 6 record from the original record. 

17 11. Architectural Variations 

1 8 There may be commercial contexts in which an SDI service can be established where there 

19 is already in place a pre-existing trust relationship between multiple vendors and a third 

20 party. Such third parties are inherently motivated to provide services to enhance advertising 

2 1 and e-commerce for their existing and potential customers. These third parties may include, 

22 for example, web hosts or e-commerce service providers (ESPS) which often have hundreds 

23 or thousands of sites which they host, Web portals, information and commerce service 

24 manufacturers, advertising and affiliate network services and data analysis and business 

25 intelligence tool providers (which includes the business to business application). 

26 A third party may wish to implement an SDI which operates separately and 

27 independently from the central SDI service. Alternatively, some of these third parties may 

28 install an SDI server on their customer information server. The server may be integrated into 
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1 an existing advertising service which they operate and maintain, in which case the vendor 

2 receives an appropriate fee for data which is exchanged between his/her existing customers, 

3 and a reduced fee (which may be spHt with the central SDI service) for data which is 

4 exchanged by/between a member of his/her SDI service and vendors who are members of 

5 the central SDI service but not of his/her local SDI service. Unless or until the client-level 

6 proxy server becomes a standard or a large critical mass of end-users adopts the service, one 

7 of several compelling business models could be used by a vendor to encourage the visitors 

8 to his/her site to adopt the user-centric SDI service based upon the monetary incentives the 

9 user may receive for subscribing. Typically the resulting revenues are split between the 

10 user, the user-centric SDI service and the vendor (in exchange for promoting the service to 

1 1 their site visitors a share of resulting revenues generated may be necessary). 

12 11.1 An open SDI system 

1 3 An ISP level proxy server can contain the user profile generation module, profile processing 

14 module, user profile interest summary generation module and target object generation 

15 module which operate in distributed manner. This enables an ISP to independently 

16 implement the core fiinctionality of the system without the cooperation of information 

17 vendors (Web sites) or their operators (Web hosts) who opt-out of SDL The modules in 

1 8 third-party SDI servers can share information with the modules in network vendor servers. 

1 9 This flexible architecture enables the user-centric SDI service to be implemented (by ISPs or 

20 completed independently) and when available inter-operating with -the complete data sets 

2 1 available from the information vendors. 

22 SDI can allow third parties to operate their own secure advertising and/or electronic 

23 commerce-based product syndication affiliate network (for all customers), hi accordance 

24 with the preferred implementation of SDI, these "advertisements" are represented at the 

25 item-level and may be distributed across the (proprietary or main) SDI system network 

26 presented in the form of ads, aflSliate or portal links to purchasables or sites (which may 

27 contain target objects as purchasables) and/or simply (transparently integrated) selections on 

28 an e-commerce product catalogue. The users that are also subscribed to SDI, can be given 

29 highly personalized information for each site or for the network of sites (which could 



s 
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1 involve an interface which provides site to site links as a "virtual mall"), and a menu 

2 interface to these sites which includes the 2 or 3 dimensional personalized menu features 

3 and personalized search facilities as disclosed in the parent description (a "personalized 

4 portal"). Traditionally the term "portal" was exclusively reserved for major search 

5 engine/directories such as Yahoo, Lycos, Alta Vista etc. 

6 However, at the present time, there is a trend in which may Web-sites are becoming 

7 what are called "portals" or "community portals" serving a particular e-commerce or content 

8 niche or theme. Often highly robust content and/or extensive (usually web-wide) links to 

9 relevant information resources and web-sites are accessible from such portals in order to 

10 create a "one-stop shop" service to visitors or community members. Additionally, in order 

1 1 to leverage low-cost access to more robust content, a transaction-based or "click-through- 

12 based" or transaction based model is also emerging. This model fits particularly well 

13 within the current framework of SDL In particular user profiles provided by SDI-enabled 

14 site visitors provides the platform for automatic generation of not only personalized ad 

15 banners but also content and portal links, it is reasonable for these community portals as part 

16 of their business relationships with the sites and advertisers to which they provide access to 

1 7 share revenues paid by these sites and advertisers with the end-users (which significantly 

18 increase the click through by virtue of personalization of information at potentially all 

19 varieties at the site resulting from revelation of the profiles from those visitors). As 

20 discussed on the parent case, these pages are pre-cached in advance onto the local server and 

21 client. 

22 Within today's internet infrastructure as pages are typically dynamically generated, 

23 the files are first pre-cached then dynamically generated local to where they are anticipated 

24 to be used. Additionally, high-end community portals typically offer content from external 

25 sources which is sometimes syndicated from content providers which are paid by click 

26 through or transaction. In this model the user or the site may absorb these fees paid to the 

27 content provider (because the content when personalized may appeal to almost any type of 

28 user, most typically the site would subtract a certain percentage of the click through or 

29 transaction fees paid to the user). As is discussed in the parent patent application, content 

30 (e.g. links to specific syndicated items) may also be created based upon the collective user 
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1 statistics those links are presented to the users for which user profile information is not 

2 available (where these page links could be generated on-the-fly based upon the user profile). 

3 The user-centric SDI service also provides valuable information in not only 

4 generating the data model for personalizing site content but in general identifying what 

5 type of content to syndicate to the site. In a variation, it may even be possible to employ 

6 the statistical techniques used by SDI to dynamically select and generate personalized 

7 pages in a much more ad-hoc and unrestricted fashion. Using the syndication model, a 

8 vendor may agree (based upon their associated privacy policies), to enable other sites to 

9 not only syndicate their content which may be contextually relevant to that site, but also 

10 actual portions of the site or portal may be linked fi*om other pages on the site which are 

11 contextually relevant. These pages may be linked fi*om the portal directory or as 

12 hyperlinks which are links to contextually very similar pages (or the vendor may allow 

13 these pages to be modified as needed by the site. As a general site development 

14 technique also the user's click through patterns are usefiil in updating or suggesting 

15 updates to the model to improve the value of the site. Of course, some vendor^s privacy 

16 policies will restrict the ability of some sites which can utilize the content. 
17 

18 1 1 .2 A Closed SDI System for a Syndicated Network 

19 The Web host (or more generally a vendor, a provider and/or operator of server 

20 fiinctionality to a variety of information vendors), may also be interested in operating 

21 his/her own closed version of SDL The main SDI server for the closed system can be 

22 located on the network vendor servers, or it may reside upon the information vendors 

23 servers (as it is operated by that local Web host). For example, an affiliate ad network 

24 (including a web host acting in such capacity) could upon installing SDI onto their 

25 network enable and enforce the wishes and desires of advertisers (and particularly) sites 

26 which are advertised upon with regards to what types of sites and advertisers 

27 (respectively) they allow or disallow for purposes of standard or affiliate advertising, in 

28 accordance with the methods herein disclosed. The general implementation for 

29 determining which this general application for using collective user feedback to 

30 determine relevant site links was described in the parent issued patent). In this case, end 
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1 users who are subscribed to SDI would receive personalized affiliate links (including 

2 product level recommendations for on-site purchases) which have been pooled and 

3 profiled at the main SDI server from all SDI vendors (in distributed fashion) and matched 

4 with the user. Alternatively, such approach may also be used for ISPs who wish to 

5 operate their own closed user-centric SDL 
6 

7 11.3 Interoperability Between Local SDI Services 

8 With interoperable (local) SDI services, we can also facilitate the secure 

9 enforcement of data sharing policies and transfer of transaction fees between these local SDI 
10 services E.g., by/between aggregations of ad networks, syndication networks e-commerce 
IT site, portals and Web hosts operating virtual portals and advertising/syndication networks 

1 2 with personalization as its primary capability. 

13 In each of these primary example domains, the server operator is financially 

14 motivated to sell the SDI services to his/her sites because the transaction based model is 

1 5 used, and the server operator receives the commission on each transaction (or click through) 

16 occurring within his/her network of sites. However, if the server operator also integrates 

17 his/her local SDI service into the main SDI service (to share user lists and impressions 

18 and/or space to advertise to these target users), s/he can receive a commission (in 

19 conjunction with each vendor transacted with) for each advertisement placement or 

20 syndicated transaction to or from his/her network. 

21 We can also allow the local server operator to split the transaction fee (normally 

22 received from the main SDI service), thus "referral fee" for both the referred customer and 

23 the referral of customers (through the placement of outside ads or products on one of his/her 

24 sites) or other means of targeting his/her site's existing customers. 

25 Reduced overhead resulting from economies of scale which may likely result in 

26 incentives to the local operation, e.g., free installation and operation of his/her local main 

27 SDI server by the main SDI service, i.e., as the operational overhead would be cost justified 

28 by the shared transaction fees of customer referrals and advertising space coming back to the 

29 main SDI service. 
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1 This architecture also may be useful and is ideally suited for cross vendor product 

2 advertising as through an ad network or product syndication network using affiliate links. In 

3 addition to the user profile generation module, a target object profile generation module 

4 should also reside across the network vendor servers such that it is possible to generate 

5 target object profiles for target objects on network vendor servers. Alternatively, user 

6 profiles and target object profiles are downloaded to the client level proxy which performs 

7 collaborative filtering tasks as the user browses fi"om site to site. 

8 In both of these cases, the main SDI server can receive user profile data generated 

9 fi'om the user profile generation module located on the ISP-level proxy, and target object 

10 profiles generated fi:"om the target-object profile generation modules located on the various 

1 1 multiple information vendor servers. 



12 12. Ancillary Systems 

13 

14 12.1 Support for Pseudonymous electronic mail 

15 The ISP-level proxy server is positioned just behind the firewall of the user's local 

16 dial-up network (ISP or Intranet). The proxy provides protection for users operating under 

17 pseudonyms fi-om point-to-point attacks and HTTP header-tracking by stripping HTTP 

18 header-information and forwarding HTTP packets on to their destination with no 

19 information other than their source at the ISP-level proxy server. The ISP-level proxy also 

20 supports pseudonymous e-mail, between users, and between users and vendors. 



21 Figure 2 shows a couple of users connected to clients, that are in turn connected to 

22 the Internet through a local intranet, such as the network of an Internet Service Provider 

23 (ISP). 

24 The proxy 'Vashes" outgoing messages of any information that would compromise 

25 a user's pseudonymity, for example the "referral" field that contains the previous URL of a 

26 user in a HTTP message. HTTP messages also leak other information, for example browser 

27 software on a user's client machine, the operating system and a user's IP address. 
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1 A user can receive electronic mail through the PID and associated IP address of the 

2 ISP-level proxy server. 

3 The preferred implementation of this system allows the user to periodically check 

4 for new mail. The client-level proxy gains access to the mail box that is associated with a 

5 pseudonym by providing a correct response (signature) to an ISP-generated challenge. 

6 Notice that with this solution, the ISP-level proxy has no way to connect the pseudonyms of 

7 a user, so long as the user's client is not identified in its messages to the ISP-level proxy 

8 server other than by the PID that the proxy makes a request for. 

9 We can extend this mechanism using a technique taught in the Lucent Personalized 

10 Web Assistant (LPWA). The LPWA [BGGMM 97; BGGMM98] provides for a sequential 

1 1 access mechanism to the mailboxes that belong to a user through a one-way function that 



12 takes the user's SDI log-in name and password, and an integer from 1 to N, and computes 

1 3 the mailbox location. The mail server does not need to maintain a list of pseudonyms for 

14 each user, because the user is able to efficiently access all of its mailboxes sequentially as a 

1 5 function of other information. 

16 Another variation, that relies on the user placing trust in the ISP-level proxy server, 

1 7 provides the ISP-level proxy with the e-mail address for each pseudonym. This push method 

1 8 is more efficient, because the ISP proxy and the client proxy communicate only when new 

19 messages arrive, but provides the ISP proxy with information to compute all the 

20 pseudonyms for a single user — ^probably undesirable. 

21 12.2 Support for Pseudonymous Physical Mail 

22 12.2.1 Vendor to User 

23 A vendor must hold a "physical mail certificate" to be able to send mail (packages, 

24 letters) to a user under a pseudonym. The certificate is similar to the "electronic mail 

25 certificate", in that it is signed by the private key of the user's pseudonym, and indicates that 

26 the vendor with public key P*V can send mail to the user (under the pseudonym). 
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1 Each user has a trusted physical address authority, just as it has a trusted electronic 

2 mail authority (the second-level proxy server), that maintains the physical mailing address 

3 for each pseudonym. When a vendor has a letter X to mail to user with public key PKP, the 

4 vendor generates a unique ID for the package, IDX, and sends the ID code and the physical 

5 mail certificate to the trusted physical address authority of the user. 

6 The physical address authority receives the certificate, S( (PKP, PK*V, 

7 SEND_MAIL), SKP), that indicates that the vendor is authorized to send mail to the 

8 pseudonym, and the packages identify code, signed by the vendor to certify that the vendor 

9 holds the secret key that matches the public key in the physical mail certificate. 

10 The vendor then passes the letter X and the signed ID code to a trusted mailer, that 

1 1 supports pseudonymous mailing, and has been certified by the central SDI server as such. 

1 2 The trusted mailer then provides the signed ID code to the physical address authority, signed 

13 with the private key of the trusted mailer. The physical address authority verifies that the 

14 trusted mailer is a valid service, and releases the real address of the user to the mailer. The 

1 5 mailer now has the letter X that the vendor wants to send to the user with pseudonym P, and 

1 6 the physical mailing address of the user - and the package can be mailed. At not time did the 

1 7 vendor determine the true mailing address of the user, unless it works in collusion with the 

1 8 trusted mailer, but the trusted mailer is certified by SDI, and also audited by the chosen 

19 physical address authority of the user. The address authority will only release addresses to 

20 reputable pseudonymous physical mail agents. 

21 We can operate physical mailing lists in the same way, and gain additional security 

22 by never releasing the pseudonyms or the mailing addresses to the vendor that has requested 

23 the targeted solicitations. We can use a technique that is similar to the technique that we 

24 used for virtual mailing lists. The vendor describes its solicitation to the central Secure Data 

25 Interchange, which leverages as much data as possible (without violating the privacy 

26 policies of any of the users or vendors that are represented within the data). The central SDI 

27 server generates a list of suitable pseudonyms, and then provides a series of unique codes to 

28 the vendor, that the vendor can supply to its chosen pseudonymous mailer with the material 

29 that is to be mailed. The central SDI server also provides the appropriate address authorities 
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1 with authorization to release the physical mail addresses to the mailer when presented with 

2 the IDs. Notice that at no stage did the vendor have the pseudonyms or the mailing 

3 addresses. The parties all have only as much information as is necessary - the vendor needs 

4 someway to identify its packages to the pseudonymous mailer. The mailer needs an 

5 identifier to present to the address authority, and receives the addresses. The address 

6 authority just needs to know what addresses to release and to which third party. 

7 1 2.2.2 User to Vendor mail 

8 The Secure Data hiterchange system also provides a mechanism for users to send 

9 physical mail to vendors that are registered with SDI with pseudonymous return addresses. 

10 In particular, when a user sends mail to a vendor, the first-level proxy server provides a tool 

1 1 that: (1) Computes/Looks-up the appropriate pseudonym for the user with this vendor. (2) 

12 Generates a unique ID, and submits a signed message to the central SDI-server, where the 

13 message relates the pseudonym, the vendor, and the ID. (3) Provides the unique ID to the 

14 user. 

1 5 The user writes the unique ID on the envelope, and mails it to the vendor. Should the 

1 6 vendor wish to reply to the user, then the vendor can take the envelope to a pseudonymous 

17 mailer, and request that the envelope be mailed appropriately. The pseudonymous mailer 

18 verifies the identity of the vendor, and then submits the ID, together with the vendor's 

1 9 signature, and its own signature, to the physical address authority that is maintained by SDI. 

20 SDI releases the address to the mailer that can then retum the mail. 

21 12.3 Pseudonymous Payment Mechanisms 

22 The Secure Data Interchange architecture must be able to support all the standard 

23 electronic commerce functions that we take for granted, but while maintaining 

24 pseudonymity for users and following privacy policies. There are various different solutions 

25 to -this problem. 

26 
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1 12.3.1 Anonymous Credit Card Payment [LMP 94] 

2 The second-level proxy server can maintain information on the user's credit card 

3 information, and perform the following transaction. Whenever a user makes a purchase from 

4 a vendor, the user provides the vendor with authorization to bill $x to his/her credit card 

5 account, but anonymously - through the Secure Data hiterchange as a middleman. The user 

6 generates a unique number, Y, and signs a "right to paymenf message, M=( $x, PKP, PKV, 

7 Y), that gives the vendor the right to make a claim for payment of $x from the Secure Data 

8 Interchange. The first-level proxy server registers the unique number Y with the second- 

9 level proxy server to ensure that the vendor does not spend the money twice, and provides 

10 the proxy server with authorization to charge $x to his/her credit card when the request for 

1 1 payment is presented. 

12 When the vendor submits its "right to payment" and proof of identity to the second- 



1 3 level proxy server the proxy server first runs the charge through the user's credit card, and if 

14 that clears, runs the charge from the vendor through the account of SDI (which could also be 

15 a credit card, or could be operated as electronic cash or some other mechanism for 

16 payment). 

1 7 This "anonymous credit card" payment method has the following properties: 



18 1 . The user's credit card pays $x, but does not know who receives the money 

1 9 except that it is going to the Secure Data hiterchange. 

20 2. The vendor receives payment for $x, but does not know the user's credit card 

2 1 information, or the user's identity. 



22 ^The Secure Data Interchange incurs no financial risk because it receives payment from the 

23 user before making payment to the vendor, although there could still be problems if the user 

24 complains about the quality of the good for example. 

25 

26 This protocol is simpler than fiill cryptographic anonymous credit card mechanisms because 

27 the SDI acts as a rusted third party to both the user and the vendor. 
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1 12.3.2 Electronic Cash [Chaum 85; Chaum 92] 

2 Electronic cash is anonymous, just like physical cash. The user purchases electronic cash 

3 from an electronic bank, presenting blinded notes, so that the bank has no record of the note 

4 numbers that it issues to the user. For example, the user generates a new note number, X, 

5 and has the bank sign a blinded copy with its $10 signature, S(B(X), SKBANK$10). Then 

6 the user, or the first-level proxy for the user, removes the blinding factor, and can use the 

7 electronic cash as tender. Whenever the note changes hands the recipient needs to check 

8 with the bank that it has not yet been spent, because notes are easily copied, but not forged. 

9 Electronic cash has the same useful properties as anonymous credit cards, although it is 

10 perhaps a little more exotic. In particular, notice that the bank does not know to whom, or 

1 1 for what, payment has been made, and the vendor does not know which user made the 

12 payment - it just receives the payment. We have minimized the amount of information 

1 3 exchange that takes place between the various parties in the system. 

14 



15 1 2.4 Client-Side SDI Proxy 

16 The client-level SDI proxy, implemented as a client program running on the user's client 

17 machine, manages all data transfer between the client machine (and the user), and other 

1 8 vendors and the central SDI data warehouse. A key function of the client-level proxy is to 

19 implement profile management for a user, to control the ability of agents to track a user as 

20 he/she interacts with multiple vendors. The client-level proxy also controls release of profile 

2 1 information: the addition of demographic and other personal information to profiles, and the 

22 control of random perturbation to fields to prevent linking across user profiles. 

23 The client-level proxy maintains profile information for a user's collection of pseudonyms, 

24 and allows the user to view and challenge profile information. The proxy also provides a 

25 rule-based interface to allow a user to select appropriate privacy/personalization policies. 

26 The primary mechanism that protects the identity of a user across multiple vendors and 

27 service providers is the ability to interact pseudonymously with vendors. The user can 
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1 choose a unique pseudonym for each third party with which he/she interacts, and be 

2 absolutely certain that he/she is the only party that knows his/her true identity. There is no 

3 way that a vendor can know anything about the transactions that a user has had with other 

4 vendors under alternate pseudonyms unless the user chooses to disclose the equivalence of 

5 pseudonyms, or use the same pseudonym across multiple vendors. 

6 13. MOPES OF USE OF SDI 

7 It is useful to distinguish three key modes of use of the Secure Data Interchange system: 
8 

9 o Static data-mining. Query execution with no dynamic requests for new 

1 0 information from information providing agents. 

11 o Interactive data-mining. Query execution that includes dynamic attempts to 

12 request additional information from information providing agents. 

13 o Client-side data-mining. Query execution that is performed on the local client 

14 machine of an agent, based on data stored exclusively on that machine. 
15 

16 All three modes may use distributed information, i.e. it is possible that the information is 

17 stored in the central SDI database, or on distributed client-side information servers, or in 

18 third-party servers. The first 'static' case and the second 'interactive' case are 

19 distinguished from the third 'client-side' case in that the query execution is performed 

20 centrally in the SDI data warehouse in the former, and on an agent's client machine itself 

21 in the latter. Client-side data mining has particular application to privacy-protected 

22 customization of information and services in on-line business-to-consumer applications. 
23 

24 1. Static Data Mining 

25 In static data mining queries are executed on the information that is currently present in 

26 the SDI data warehouse, and there is no opportunity to contact agents and request more 

27 information. Applications of this type of static data mining include all types of "standard" 

28 database queries, where it is assumed that the data set is static. Queries may be open- 

29 ended, i.e. "find me all data records of this type, and perform the following operations.." 
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1 or closed, i.e. "perform the following query on the data record for agent with pseudonym 

2 PI". Queries may also have side-effects, i.e. "find all records that satisfy this constraint, 

3 and then take action A". 
4 

5 2. Interactive Data Mining 

6 In interactive data mining multiple agents may be contacted by the system of Secure Data 

7 Interchange in the process of executing a query, to request new information fi*om agents, 

8 or push information to agents. A central application of this mode of data mining is 

9 matchmaking, which is a process where information flows between agents if and only if 

10 both the profiles of both agents are mutually compatible. In interactive data mining the 

1 1 querying agent does not need to know the identities of agents that are contacted by SDI, 

12 this is all transparent, and hidden from the querying agent. 
13 

14 3, Client-Side Data Mining 

15 In client-side data mining the querying agent executes a query with the information 

16 associated with a specific agent, and the information remains located on that agent's 

17 client machine throughout the query. The query is executed by providing the query 

18 method to the client machine, processing the method with local information, and then 

19 returning a response or taking an appropriate action (e.g. displaying product X for price 

20 Y). A central application of client-side data mining is to privacy-protected customization, 

21 where a vendor wishes to customize its products and services for a particular agent that is 

22 registered with SDI, and take advantage of personal information relating to that agent that 

23 is not generally available. As another application, we describe a client-side advertising 

24 auction, where advertisers compete for the right to display a barmer advert to a user, 

25 based on local information about the user's preferences. 
26 
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1 4. Applications: Very Brief Overview 

2 In the next section of the SDI description we describe some specific variations and 

3 systems that can be implemented within the general architecture. In overview, we 

4 describe the following key applications: 
5 

6 o Safe user profiling and personalization. This allows on-line users to receive 

7 personalized information and services without providing personal information to 

8 vendors, so that users retain control over their personal information. Users can 

9 interact with vendors under different pseudonyms, and provide information to the 

10 central SDI data warehouse to allow data mining. Finally, users can allow specific 

11 vendors to execute queries, where the result of the query is information that 

12 allows that vendor to customize its service. 

13 o Client-side user profiling. The client-side SDI proxy can monitor the browsing 

14 behavior of a user, and submit data periodically to the central SDI data warehouse 

1 5 with appropriate meta information to provide the user with guarantees about the 

16 type of information that can be released to vendors during query execution. 

17 o Static Data mining applications. Agents can submit queries to the data warehouse 

18 query-execution module and perform data mining and collaborative filtering on 

19 aggregated and anonymous information provided by data submitted to the 

20 warehouse by agents. 

21 o Interactive data mining applications. Agents can request actions fi-om the SDI 

22 system if certain conditions are found to exist in information, for example SDI 

23 can send information to other agents about services or products, if good matches 

24 are found. Another example is a request that a certain number of agents with 

25 particular properties be contacted and asked to take a particular action, we give an 

26 example within a transportation domain. 

27 o Pro-active data mining. The system of SDI might itself pro-actively execute data 

28 mining queries, and index and classify certain types of data to allow more 

29 efficient future query execution, and to also suggest useful information to its 

30 client agents. The answers to popular queries can be priced and cached, so that 

3 1 providing agents receive value whenever an answer is sold to another agent. The 
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1 system of SDI might advertise a set of queries to allow vendors to select pre- 

2 computed results. 

3 oMatchmaking applications. We described in the top-level description of SDI a 

4 technique to implement "persistent queries", which reside on the central data 

5 warehouse's query execution module, and are triggered whenever the correct 

6 conditions exist in the data base. One typical use of such a query is to say 

7 "introduce me to other users with property P", such that the system introduces 

8 user A_l with user KJ2 if A_l has the property required by A_2 and also A_2 has 

9 the property required by A_l. This is equivalent to "introduction by mutual 

10 consent", and is possible within SDI without information leakage, because the 

1 1 only agents that are informed of a match are the agents with the correct properties. 

12 Applications exist to finding a business partner, funding a new start-up (incubator 

13 Co.), forming an interest group, n-way negotiation, introducer system (by mutual 

14 consent). 

15 o_ 

16 13.1. Static Data Mining Applications 

17 This section describes specific applications of SDI-based static data mining. A 



18 central example is collaborative filtering and personalization applications in electronic 

19 commerce, where consumers and vendors provide information to SDI, and the 

20 information can be queried within the price and data-access rules placed with the data by 

21 owners of the information. We refer to the variation of SDI with consumer profile 

22 information as the "iamworthit" system, because users can place profile information in a 

23 shared database and receive payments in return for queries performed by vendors. 

24 Vendors can use the profile information to build better customization models, and 

25 provide customized products to customers based on their profiles and what has worked 

26 with other customers with a similar profile. 
27 

28 We limit our attention in this section to "static" datamining, which as defined in the 

29 mid-level SDI description allows agents to query the data, but without contacting the agents 

30 to request more information. All queries are performed on the basis of tiie information 



Page 133 of 381 



SUBSTITUTE SPECIFICATION 



1 already submitted to the database, and the rules associated with that information. Within the 

2 set of static queries, we do allow a vendor to identify a specific agent within a query 

3 command, so that if a user provides an identifier to a vendor then the vendor can query the 

4 database with its collaborative filtering model and determine an appropriate action to take. 

5 It is possible to request an action as the result of a query, for example "send message 

6 X to all users with profile information Y", so long as this message is not contingent on as 

7 yet unknown information about the user. We describe specific examples, for example to a 

8 smartbrowsing system, an education portal, and an advertising network. 

9 One of the core purposes of SDI is to provide a common location and format for 

1 0 information that has been gathered fi^om a wide variety of sources and that might require 

1 1 different sorts of analysis. Since its firamework is designed to handle different types of data 

12 and algorithms, SDI can be used as a platform to explore and exploit the rich connections 

13 that potentially exist within and across the databases of different vendors and customers. 

14 The system is designed to allow vendors to execute queries over profile information 

15 provided by multiple agents, and ensure that all queries are consistent with the policies 

1 6 outline by agents as information is first submitted. 

17 The central SDI server can also support cross-vendor and single-vendor 

18 personalization tools, such as multi-attribute collaborative filtering techniques. The 

19 queries can be executed to enhance a vendor's model, without providing the raw data to a 

20 vendor. A vendor's model can be enhanced without explicitly revealing any information 

21 about user profiles. The SDI server ensures the integrity of data, and prevents data being 

22 used for unauthorized purposes. A query will receive access to data as permitted by 

23 certificates presented by the querying agent, and to the extent that the querying agent is 

24 willing to make payments defined in the price-access rules associated with the data. As 

25 discussed in the top-level SDI description, the query-execution module implements an 

26 internal market with the data, and executes an agent (i.e. a vendor's) query as cheaply and 

27 efficiently as possible. 
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1 13,1 .1 ^Statistical Techniques for Multi-dataset Collaborative Filtering 

2 This section describes a statistical method for cross vendor and cross data-set 

3 collaborative filtering. The example considers particular types of data and analytical 

4 methods and suggests forms of validation that can be made available within SDL 

5 In describing this system, we show how the Secure Data Interchange architecture can 

6 integrate the architecture issued U.S. Patent No. 5,754,939 "System for Customized 

7 Identification of Desirable Objects" into a system for secure data exchange between 

8 multiple parties. The aforementioned patent teaches a method for profiling objects and users 

9 over a bi-directional distributed network, such as: an ISP, multiple ISP networks, a Web 

10 hosting network, or server software (such as data mining or recommender software) that is 

1 1 linked to a coalition of sites (such as a portal or bitemet mall). 

12 The current invention, the system of Secure Data Interchange, allows correlations to 

13 be identified between vendor's data sets, that allows accurate profiling through the 

14 application of statistical methods, without providing vendors with explicit access to the 

1 5 profiles of users - because profiles are provided in anonymized and randomized forms. 

16 There are less efficient methods that can be used to identify correlations, for example using 

17 customer demographics, and vendor categories, to suggest which vendors might be well 

18 placed to form dynamic syndication relationships. Witii SDI it is possible to leverage as 

19 many data sources as are available, about users and the target objects witii which they 

20 interact, hi fact the degree of the measure of improvement in predicting user behavior (or 

21 increasing click through) is approximately in direct proportion to the square root of the 

22 number of user profiles and target profile interest summaries which are known. The 

23 emphasis in the aforementioned patent is on the bilateral relationships between vendors and 

24 users, and the architecture is not designed to support secure and privacy-protected data 

25 interchange and analysis across the user bases of different vendors. 

26 In the system for SDI we push control of the profile for each user to the client software that 

27 runs on the machine local to the user, and provide for personalization through dynamic 

28 processing of information on the user's client machine. Similarly, -we enable vendors to 

29 exchange data sets only to the degree that is mandated by users, and provide technical 

30 solutions to enable significant leverage of data while maintaining user privacy. 
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1 The supporting architecture as stated in the above referenced patent also allows for 

2 profiling statistics to be collected and processed in a distributed manner. In the present 

3 invention the profile generation capabilities can be implemented at various levels, depending 

4 on where profile information is physically located. As described earlier, the central SDI data 

5 warehouse can be nothing more than a 'Virtual" database, with multiple links to data that 

6 physically resides on client machines that belong to users and vendors. 

7 To enable useful cross-vendor profiling, vendors can submit web pages that are 

8 tagged with profiles of target objects, user quality ratings based upon overall quality as well 

9 as other criteria (e.g., value, price, entertaining, informative graphic/visual appeal, etc.), 

10 location data (for target objects representing physical or geographical items), etc. User 

1 1 information, in addition to profiles, can include data mining and trend analysis statistics, and 

1 2 user provided ratings for target objects. 

1 3 As previously described in this patent, various conditions can be placed on the way 

14 in which a set of data may be used (i.e., can the user make a personal copy of the dataset?), 

1 5 as well as on the privacy controls put in place. It might well be that a vendor or a user is 

16 willing to share only a portion of his database, or that he will release only randomized data 

17 in accordance with the level of privacy he has guaranteed his customers. Although such 

1 8 restrictions could impact the content of the data analyzed by a vendor, as long as it is kept in 

19 an SDI-compHant format it can be analyzed by SDI's suite of tools. 

20 The data that is stored in tiie central SDI server has tight usage restrictions. For example, the 

21 user will have specified (via a price-policy) that data can only be used by querying agents 

22 that are able to present certain types of certificates, only anonymously, etc. The central data 

23 warehouse maximizes the value of data by analyzing conditions and supporting queries with 

24 the cheapest possible price rules. 

25 The information that is stored in the central SDI data warehouse can be provided by users, 

26 via their SDI client-level proxy agents, and relating to their own individual purchasing and 

27 buying habits. Alternatively, the data might be provided by vendors, and relate to what 

28 information that vendor decides to release about its customer base— and in agreement with 
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1 stated practices that the vendor follows about the information that it collects on its 

2 customers. 

3 It is not necessary for data records to physically reside on the central SDI data warehouse. A 

4 vendor may provide links to data, and use a locally secured query-execution module to 

5 carefully control queries of the data. For our current purposes we assume a uniform data 

6 access model, where although both data and algorithms might reside either at vendors' home 

7 locations or within the SDI system itself, the general analysis works transparently across 

8 these boundaries. 

9 For security reasons, the contents of databases may be injected with a small amount of 

10 noise. This prevents database users from surreptitiously connecting database records to 

1 1 individual customers, yet maintains the quality of inferences made about the database in 

12 general. This is described earlier, as noise-perturbed data release. Although such "noisy" 

13 records don't pose too much of a problem for those methods that make generalized 

14 inferences, it should be noted that recommendations made for individual customer vectors 

15 that have undergone such randomization will be less useful, since predictions are being 

1 6 made for a noisy target. 

17 A final consideration is the reduction of the data vectors' dimensionality (which can be 

1 8 extremely high), since it is harder to make clean inferences about sparse data. There are 

19 many standard methods that can be used to achieve this, such as Principal Components 

20 Analysis. Another approach is to adjust the granularity of the data, if at all possible. In a 

21 music store analysis, for example, there might be many more album titles that artists (since 

22 each artist can produce multiple albums). In such a case, purchases could be recorded by 

23 artist rather than by album, greatly reducing the dimension of the customer vectors' 

24 purchase space. 

25 13,1 .1 .1 Data Structure 

26 In this application there are many types of information which can characterize both 

27 users and items. SDI is intended to function as the intermediary between a vast web of 

28 vendors, on the one hand, and individual consumers, on the other hand. Major sources of 

29 data include: 
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1 1 ) Demographic. Such data will most likely be elicited by SDI from vendors and 

2 consumers when they initially register for the service, and details very general 

3 characteristics about them. It will consist of numbers and categorical values (age, zip 

4 code, sex, level of education, etc.). 

5 2) Commercial. This is the kind of data any that vendor collects in the course of doing 

6 business (especially e-commerce); generally, it links customer codes to purchase 

7 items, dates, quantities, and prices. Depending on the nature of the business, this data 

8 could be fairly complex, and might well include text. For example, one could imagine 

9 that a bookstore, in addition to keeping track of its sales history, collects book 

1 0 reviews, author profiles, and plot summaries. 

11 3) Behavioral (vis-a-vis the hitemet). A user's client-side SDI proxy can monitor 

12 his/her browsing behavior on the World Wide Web, monitoring the pages a user hits, the 

1 3 click stream and content requested, etc. Click stream information can be useful, for example, 

1 4 because it can indicate a user's interest in the information that it is presented with. 

15 

16 We assume that vendors and/or a third-party annotate web pages with tags, that 

17 provide a commentary of a web page and allow meaning to derived from a user's browsing 

1 8 behavior, 

19 The mere presence of such tags allows for correlations to be drawn between 

20 different web pages (e.g., a common Extensible Meta Language (XML) tag used by travel- 

21 related sites), because it implies similarity. Furthermore, it is conceivable that such tags 

22 could encode more refined measures of a web page's content, such as browsers' evaluations 

23 of its value. For example, a web page of interest to scale modelers, in addition to having 

24 images and text related to model trains, might have an XML tag that shows that other scale 

25 modelers have given the web site a "five-star" rating. This page should therefore be given a 

26 greater weight when SDI is used to create correlations of interest to model hobbyists. 

27 In what follows, we assume that SDI contains data of the following types: 

28 1) Numerical (e.g. an age, price, or period of time). 
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1 2) Categorical (e.g. a color or musical genre). 

2 3) Text. 

3 

4 We describe a mathematical model for computing useful collaborative filtering queries 

5 across heterogeneous data records, such as the data stored within the central SDI data 

6 warehouse. Throughout, we present only the basic mathematical model. In implementation 

7 the query would be formulated in a general-purpose language, for example Java, and 

8 executed in the central SDI data warehouse subject to the conditions on access to data as 

9 expressing users price-access rules. 

10 13,1 .1 .42 _Computing Correlations Between Data Points 

1 1 A common task for SDI is to compare and correlate different customers, which 

12 might well be represented by mixed collections of numbers, categories, and blocks of text. 

13 This is handled by treating each customer Ci as a vector in a space whose coordinates 

14 correspond to the fields of data available. In the following description we refer to a 

15 customer, but when a user interacts with a vendor under a pseudonym, the profile 

16 information will only relate to- information provided to the central SDI server for that 

1 7 pseudonym. 

18 If there are m numerical pieces of data available, there will be n corresponding 

1 9 coordinates in the data space, (xi, . . ., Xm). 

20 For each category i, there will be a corresponding number of values, ni. Hence, for a color 

21 category {red, white, blue}, ncoior = 3. Since each value is assigned its own coordinate, 

22 category i is represented as an ni dimensional vector, yi. Hence, the total number of 

n 

I", 

23 dimensions used to describe the full -set of n categories (yi, . . ., yn) is 
24 

25 Note that sparse methods are especially useful here, since a categorical vector yi will 

26 typically consist of mostiy zeroes, with a single non-zero coordinate representing the 
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1 categories' value (i.e., we encode the color red, using the previous example, as (1,0,0) ). 

2 Note also that category vectors with different values are treated as orthogonal by the system. 

3 A final issue is the representation of text. As described in previous related patents, 

4 all relevant blocks of text in the database are converted into a dictionary that maps unique 

5 strings to the number of times they appear in the database. An appropriate TF/IDF weighting 

6 function is chosen and calculated for each of the p words that appear in the dictionary. The 

7 full set of text connected to a single customer can thus be represented as the vector (zi, . . 

8 Zp), where each zi equals the number of times the word i appears in text related to the 

9 particular customer multiplied by the TF/IDF score assigned to word i. 

10 In summary, when a database describes its customers using a combination of 

1 1 numerical values, categories, and text, customer i can be represented by the vector Ci=(xi, 

12 ...,Xn, yi, ...,ym,Zi, ...,Zp). 

1 3 13^1 . 1 .§3 __An Example Profile Vector 

14 Suppose we have a database containing information on customers' ages, their musical 

15 preferences (i.e. an answer to a survey asking: "Which do you prefer, Mozart or the 

16 Beatles?"), and the contents of the emails they've written. Furthermore, suppose the only 

17 salient variables in all the emails written consist of the words "Beatles", "Mozart", and 



1 8 "practice", and that we are using the function 



19 



20 Where nx represents the number of times word x appears in the dictionary. We now want to 

2 1 represent one of the customers in the database; he's a 1 0-year-old boy who prefers Mozart to 

22 the Beatles, and who wrote an email to his friend that mostly describes his attempts at 

23 practicing Mozart, but in passing mentions his sister's new Beatles CD. Suppose he uses the 

24 word Mozart 2 times (although it appears 456 times in the full database of all customers' 
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1 emails), the word Beatles 1 time (appears 217 times in database), and the word practice 3 

2 times (appears 77 times in database). 

3 We define the following coordinates: 

4 xi = age = 10 

5 yi = {Mozart, Beatles) = (1 ,0) 

6 zi = # of times customer uses word "Beatles" x TF/IDF("Beatles") 

7 Z2 = # of times customer uses word "Mozart" x TF/IDF("Mozart") 

8 Z3 = # of times customer uses word "practice" x TF/IDF("practice") = 

9 

1 0 In our example, then, we might encode this boy as customer 1: 

11 c, = (xi, y,, zi, Z2, Z3) = (10, 1, 0, 0.067, 0.094, 0.342) 

12 13,1 .1 M _Choosing an Appropriate Level of Data Granularity 

13 We define the term granularity to denote the level of detail available within a given 

14 set of data, which is often structured hierarchically. Suppose a grocery store database 

1 5 contains records for a box of flavored gelatin powder. This could be categorized in a variety 

1 6 of ways; moving from the most specific to the most general, we might treat this data point as 

17 "12.5 ounce, strawberry flavor, Jello-brand gelatin dessert" (which would be entirely 

18 different from "12.5 ounce, banana flavor, Jello-brand gelatin dessert"), or as "12.5 ounce 

19 Jello gelatin" (a categorization which would treat as identical the strawberry and banana 

20 Jellos), or as "flavored gelatin", or as "dessert", or as "food", or as "grocery". 

2 1 When analysis is performed on such data, the level of granularity chosen will have a 

22 strong effect on the outcome of the analysis. If the level of granularity is too fine-grained, 

23 the data will be too sparse, although it could be potentially aggregated to the next highest 

24 level of granularity. If the granularity is too coarse, the results of the analysis might be 

25 overiy general (e.g., a customer would find a collaborative filter useless if the only 

26 recommendation it makes for a dessert choice is "go to the grocery section of the store"). 



= 1 * 0.067 = 0.067 
= 2 * 0.047 = 0.094 
= 3 * 0.114 = 0.342 
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1 Since the level of granularity will have a salient effect on the outcome of an analysis, 

2 it should be chosen very carefully, and might well play a factor in pricing when a vendor 

3 chooses to sell its data. 

4 13,1 .1 .75 ^Statistical Methods for Data Analysis 

5 In order to perform a wide range of analytical tasks, SDI needs to make use of a 

6 variety of computational approaches. These are described below, starting with the simplest 

7 methods first. 

8 o( 1 )~ Standard Database Searches 

9 o_ 

1 0 Since most of the data will be stored in centralized databases, simple searches, queries, 

1 1 and data filters can be implemented by means of standard SQL commands. Typically, 

12 data will be collected or sorted using efficient database calls before being fed through 

13 analysis routines; once complete, the results can be fed back out to the database 

1 4 environment for further efficient manipulation. 

1 5 o(2) Metrics - Measuring the Similarity Between Profile Vectors 

16 o 

1 7 Given two customer (or vendor) profiles, Ci and Cj, it is firequently desirable to know how 

18 similar they are. For this purpose, we define the similarity metric M(ci, cj) to be a 

1 9 function that takes as input two customer vectors and returns as output a numerical value 

20 in the range [0,1]. When two customers Ci and c, are identical, M(Ci, Cj)=l ; when they're 

2 1 completely different, M(q, Cj)=0. 

22 The problem is somewhat simplified by the fact that we treat all customers as vectors. 

M(A,B)= cosO^j^^ 

23 Given two customer vectors, we can use the correlation between them to serve as our 

24 metric: 
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1 Note that 0 here represents the angle between the vectors A and B, and that we expect 

2 all coordinates of the vectors to be positive (in order for M(A3) to keep its output in the 

3 range [0,1]). 

4 In more complicated cases, however, a customer vector might contain multiple fields 

5 with varying ranges of values. For example, we might have customer vectors of the form 

6 Ci=(agei, incomci), in which the maximum age is 80, but the maximum income is 

7 300,000. hi such cases, the coordinates with larger values will dominate the similarity 

8 metric, overwhelming any influence that smaller fields might have. 

9 This requires a normalization of the customer vectors, which can be done in several 

10 different ways. One approach would be to scale every coordinate by the maximum 

1 1 observed value, forcing all coordinates to lie between 0 and 1 (again, enforcing the 

1 2 rule that all coordinates must be positive). 

age. income^ ] 

C- — 

' V max(age) ' max(income)J 

13 

14 The only problem with this is that if a coordinate's maximum value is an outlier (being 

1 5 vasfly bigger than the typical value), most of the coordinates' values will seem unusually 

1 6 small once they are scaled by the maximum. In such cases, it might be better to scale the 

1 7 values with a "squashing" function such as the sigmoid, which deadens the impact of 

1 8 extreme values; one such configuration would be the following: 



^S^i ~ ynean{age) 



income- - mean{income) 

incomei = 

^income 
^ age. incomei ^ 

e ' e 

19 
20 
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1 Note that the mean and variance of the data points are used to fiilly normalize them, 

2 such that the sigmoid function will spread the values somewhat more evenly between 

3 zero and one. 

4 The previous approaches are especially useful for single numerical fields, which might 

5 well overwhelm each other if some sort of normalization isn't performed. 

6 A different problem arises for text or large categorical fields, since they can potentially 

7 consist of hundreds of coordinates capable of overwhelming the influence of single 

8 numerical fields. Suppose we believe the age of a customer is as important as the text of 

9 articles read. In such a situation, the thousands of coordinates devoted to the text field 

10 would dominate the metric 's behavior, negating any influence that age would have on 

1 1 our measure of similarity - clearly not a good situation. 

12 A solution to this would be to find the correlations among the fields taken separately, 

13 then average the result. That is, if each customer q = (agCi, texti), where textj is a vector 

1 4 with a very high number of dimensions, we could define the metric: 

/ \ ( carriage. , agCj ) + corr{text^ , textj)^ 
M[c,,cj]=y ^ ] 

15 Where 

C.-Cj 

corr{c.,Cj)=Y-\\ f 

14 ■ 

16 
17 

1 8 The result is a metric that gives equal influence to each field. 

1 9 o(3) Forming Vectors Into Groups 

20 o_ 

21 The process of classification is essential to collaborative filtering, as it allows different 

22 vectors to be formed into groups based on some measure of similarity. If we are able to 

23 create groups of customer vectors, for example, we can then give individual customers 
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1 recommendations based on the patterns of their group-mates, who presumably have 

2 similar tastes. 

3 K-means Clustering and Nearest Neighbor algorithms are extremely useful for grouping 

4 purposes: previous iReactor patents -give a full and detailed description of our 

5 customized versions. This section gives a brief overview of these methods. 

6 f3.n Clustering 

7 K-means Clustering is an algorithm used to partition a coordinate space such that all 

8 vectors in a given partition are more similar to that partition's vector average (the 

9 centroid), than to the centroids of any other partition. It is a process that iterates over the 

10 following steps: 

11 0. "Seed" the coordinate space with the initial centroids, which are vectors used to 

12 describe the centers of the clusters, in the sense that they are the average of all the 

13 vectors currently assigned to the partition. This can be done randomly (assigning 

14 centroids random coordinates) if no other information is available, or it can be guided by 

1 5 pre-existing information. For example, if we wish to cluster vectors of music customers, 

16 we can use information about musical genres to create initial partitions that correspond 

17 to pop, gospel, classical, etc. This will locate the centroids in well-spaced intervals 

1 8 across the coordinate space. 

19 1 . Assign vectors to the most similar centroids. This is done for each vector by scanning 

20 across all centroids and calculating similarity M(vector, centroidj ); once finished, the 

21 vector is assigned to the cluster whose centroid has the greatest similarity, ha this stage, 

22 vectors may switch their allegiance fi-om one centroid to another, if the relative distances 

23 to the vector have changed sufficiently since the previous iteration. If no vectors change 

24 their allegiance, the iteration process is complete, and the algorithm stops. 

25 2. If the iteration is not complete, recalculate the centroids by setting them equal to the 

26 average of those vectors that have been assigned to them. Go back to step 1 . 

27 
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Once the algorithm converges, the vectors are grouped into clusters. The centroids' 
coordinates as well as the identity of cluster members is useful information that can be 
passed on to subsequent stages of analysis. 

(3.2) Nearest Neighbor 

The nearest neighbor algorithm, simply stated, creates a list of those vectors in a 
database that most resemble a particular target vector. This is accomplished by 
comparing the target vector, in turn, to every other vector in the database; the 
similarity between them is recorded, and once the comparison loop is complete the 
list of similarities is sorted. The top k members of this list are returned as representing 
those k vectors which most resemble the target. 

(4) Generalizing Across Databases 

One of the most useful aspects of SDI is that it allows for inferences to be drawn across 
different databases through underlying connections in membership or content. An 
especially strong link can be made between commercial databases if they have 
customers in common. However, for reasons of privacy, individual customers may 
choose to use different pseudonyms when dealing with different vendors. This might be 
preferred by the individuals, but it weakens the inferences that can be made between 
fields occurring in different databases. 

The techniques chosen to infer correlations across different databases will depend on 
how many pseudonyms are shared in common. At one end of the spectrum, every 
customer uses a single pseudonym for all transactions, and makes an appearance in 
every database. At the opposite end of the spectrum, every customer uses a different 
pseudonym with every vendor, and may appear in only a single database. 

Case 1 : All customers use a single pseudonym, and appear in all databases considered. 

This is the simplest situation to handle. Since all customers appear in all the databases, 
the customer vectors' fields are essentially scattered across several locations, but can be 
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1 easily reconstructed. For each customer, we define a new data vector that concatenates 

2 that customer's representation fi"om across the different databases. 

3 Hence, if we are considering databases A, B, . . ., Z, and customer i appears in each one, 

4 we define a new vector Cj = (cai, cbi, ... , czi), where Ca\ is customer i's vector in 

5 database A. We then proceed as usual, making inferences with these augmented 

6 customer vectors. 

7 Case 2: Most customers use a unique pseudonym, and fi:-equently appear in different 

8 databases. 

9 In this situation, although we see some connections between the databases, many 

10 pseudonyms appear in only a single location. Using Bayesian techniques, however, we 

1 1 can still make predictions for customer vectors across databases. 

12 Suppose we have a set of databases, A, B, Z. Taking each database in turn, we 

13 cluster it using all available data. Thus, using every record in database A, we group 

14 A's customers into clusters 

15 Ai, A2, An. Taking database B, we create clusters using all of B's information, 

1 6 creating customer clusters Bi, B2, . . Bm, and so forth. 

1 7 Now, scan both databases for common pseudonyms (representing those customers who 

18 have interacted with both vendors under the same pseudonym) and create count 

1 9 variables Wy to represent the number of pseudonyms that appear jointly in Ai and Bj. 

20 We can now produce the probability that a pseudonym appearing in A\ will appear in 

21 Bj: 
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12 



7=1 



total = S X ^// 

1 For example, if we have a database of airline ticket purchases and a database of 

2 restaurant visits, we can create clusters, in the first case, of customers who travel to 

3 similar destinations, and in the second case, of customers who eat at similar restaurants. 

4 Given that a particular customer belongs to a cluster of people who fi-equent Caribbean 

5 restaurants, we can infer which travel packages would most appeal to him based on the 

6 linking probabilities, as defined above. 

7 ^Multivariate Extensions: 
8 

9 If we have a third database C, and there are a large number of pseudonyms common 

10 to A, B, C, the above probabilities can easily be extended. For example, knowing that 

1 1 a customer appears in Ai and Bj, we can calculate the linking probabilities to any Ck: 



I total 



^^'^^/) t^, J total 



p n m 



k=\ /=! y=i 

13 

1 4 Or, if there aren't many pseudonyms that span all three databases, the probability of 

1 5 Ck given that a pseudonym exists in Ai and Bj could be approximated by: 
16 

p[c,\a,^b)=p{c,\a)-p[c\b) 

17 

1 8 Case 3: All customers use several pseudonyms, and none appear in different databases 
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1 In this situation, there are no common customer codes that can be used to create links 

2 across the databases. However, the mere fact that several databases have been brought 

3 together for analysis should imply that there are semantic commonalities in the data. 

4 Although each database contains different fields, it may be the case that those fields deal 

5 with related subjects. A human expert, knowledgeable in the content of the databases, 

6 the subtleties of the domain, and the overall goal of the analysis (e.g. the creation of 

7 recommendations), will be in a position to create a "common-information profile" that 

8 spans the databases, hi essence, the common-information profile defines a format that 

9 allows vectors fi'om different databases to share a common coordinate space. 

10 The idea is this: the expert designs a high-level vector format that embodies the content 

1 1 deemed important for the project goals. Next, for each database he develops a mapping 

12 that encodes the database's elements into the generic format. Finally, the desired 

1 3 analysis is performed on the fiill set of common-information profiles. 

14 Although the expert will have to create completely new fields for the common- 

15 information profile, certain types of data will map directly to the common-information 

16 format. In particular, if every database contains text (catalogued and counted, for 

1 7 TF/IDF purposes, by accompanying dictionaries), the union of the words will define the 

1 8 text coordinates of the new common-information profile. When word counts are being 

19 mapped fi-om their original databases to the new vector, the original TF/IDF weightings 

20 may be used, or new TF/IDF weightings may be created (using a dictionary constructed 

2 1 firom all the databases' text taken togetiier). 

22 Once analysis has been performed, certain common-information profiles will be 

23 grouped together by their shared similarities, although the pseudonyms they represent 

24 may have been originally drawn fi-om different databases. Such groups will represent 

25 links between different databases, and may be used for predictive purposes (see end 

26 of example). 
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1 1^1 . 1 .S6 _Example of Cross-database Analysis 

2 In this example, suppose that the central SDI data warehouse contains data submitted by the 

3 following vendors; 

4 A. A travel agency keeps track of tickets sold, and vacation web pages browsed. 

5 B. A bookstore keeps track of books sold, and stores an electronic version of the 

6 New York Times Review of Books. 

7 GtA sporting-goods and clothing shop, keeps track of purchase items sold (which 

8 includes magazines, for which electronic text exists). 

9 c_ 

10 A certain airline wants to promote various vacation packages it has available, which include 

1 1 both European and Caribbean vacations, as well as singles and family packages. Although it 

12 has leased rights to databases A,_B, and C, it turns out that no customer pseudonyms appear 

1 3 in more than one database at a time - in other words, there are no shared records. 



14 A vacation expert is hired to create a common-information profile. He creates the following 

1 5 information vector: (list of tropical countries, list of European countries, family score, list of 

1 6 sports, text) 

17 Note that the family score is a numerical value ranging from 1 (young singles) to 10 (many 

1 8 small children), and indicates what kind of person the customer is (a party-oriented student 

19 vs. a sedate father of three). 



20 The expert then creates the following mappings: 



21 


A. 


Travel Agency. Link destinations of tickets sold to country fields (i.e., the number 


22 




of trips to Germany by a customer would be placed in the Germany field of the 


23 




common-information profile). Link sales of children's tickets, or requests for 


24 




children's meals, to family score. Put web-page data into text field. 


25 


B. 


Bookstore. Link travel books' text to country lists. For all books purchased by a 


26 




customer, map text fi-om book reviews into text field. 


27 


C. 


Sporting-Goods store. Map warm-weather clothing (and swim gear) to tropical 


28 




countries, ski gear to countries with skiing areas. Map sales of toys or children's 


29 




clothing to high-value family scores, map revealing-bikini and student-discount 
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1 sales to low-value family scores. Map text from magazines purchased by a 

2 customer to text field. 
3 

4 These mappings are then applied to each database, generating a full set of common 

5 information profiles. These are then clustered, forming groups that share commonalities. 

6 The expert can now do several things with the results. First of all, he identifies the 

7 general "flavor" of each cluster (e.g., families with small children that enjoy winter, Europe, 

8 and skiing); the pseudonyms contained within each cluster can then be targeted for vacation 

9 packages suitable to their tastes. Secondly, the fact that pseudonyms from different 

1 0 databases have been clustered together allows the expert to plan cross-category marketing. If 

1 1 certain travel-book-buying parents have been grouped together with parents who bought 

12 their children swimsuits and scuba toys, it may be that they share a preference for family 

1 3 activities that take place in warm places or by the seashore. Hence, the book-users might be 

14 advertised various ocean-related sports goods appropriate for young families, and likewise 

15 the swimsuit-users might enjoy getting recommendations for- travel books that describe 

16 tropical destinations that are especially fian for children. That is, if the goal is to cross- 

1 7 market items from A to customers in C, the most logical source of recommendations would 

1 8 be the people in A who have been grouped with the people in C. 

1 9 13,1 . 1 .9-7_Methods for Validation 

20 To a large degree, the overall success of an SDI analysis is the relevance of the connections 

21 that are inferred from the data. It is often the case that a certain amount of validation is 

22 required to determine which analytical approaches are the most successfiil, given that the 

23 analyst has had to choose a particular combination from a wide range of algorithms, data 

24 sets, levels of granularity, and parameter settings. The process of validation measures the 

25 relative success of a given project, and is used to guide the analyst through fiirther iterations 

26 of tuning and adjustment so as to optimize the final results of the analysis. 

27 There are two general approaches, not necessarily mutually exclusive, to validation: the first 

28 is fairly quantitative, the second relies more on human expertise and intuition. 
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1 (la) Quantitative Approaches- Test Against a Validation Set 

2 

3 Suggest the use of a human to infer the most relevant attributes influencing a particular 

4 output and the role of experimental design (as suggested) as a way of holding out part of 

5 the input data in order to validate the key relevancy of particular attributes. Principal 

6 components analysis is also implied in the last paragraph of 1 - 1 . 

7 The goal of validation, in this context, is to measure how successfully SDI makes a 

8 prediction, most commonly a recommendation. Before a recommendation system can be 

9 used commercially (when it is exposed to actual customers), it is important to make sure 

1 0 that it is using the best possible combination of algorithms, input data, and parameter 

1 1 settings (e.g. TF/IDF tuning). If several different combinations are under consideration, 

12 there is a need to gauge the relative predictive accuracy of one approach over another. 

13 This can be accomplished by holding out part of the data set, training the 

14 recommendation system on the remainder, then evaluating the strength of the 

1 5 recommendations made for the hold-out set. 

16 Suppose we are testing two possible settings for a system that recommends music. We 

17 make a copy of the customer purchase records and remove a single purchase at random 

1 8 from each customer - this slightly reduced copy will serve as our training set. We then 

19 allow the two rival systems to recommend musical albums for each customer, based on 

20 the information in the training set alone. Typically, these recommendations will take the 

21 form of a list of items with corresponding numbers that indicate the strength of each 

22 recommendation. The relative performance of a set of recommendations can then be 

23 gauged by looping across each customer, noting whether or not the system 

24 recommended the item that had been held out, and if so adding it to a running total. The 

25 . system with the highest total can thus be judged the most effective, since it most 

26 strongly recommended items that the customers did, in fact, end up purchasing. 

27 Because the result of this type of validation is a quantitative score, it is possible to 

28 automate the model selection process. Given a set of analytical approaches (each with its 

29 own array of parameter settings), it is possible to loop through the full parameter space 
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1 (using a grid of evenly spaced numerical values, if needed, to reduce dimensionality), 

2 computing a validation score at each iteration. Those combinations of algorithms and 

3 parameter settings that demonstrate the best performance could be chosen as the top 

4 candidates for the final system configuration, since they do the best job at predicting 

5 customer behaviors. 

6 (lb) Quantitative Approaches - Dynamic Method 

7 The problem with the hold-out approach to validation is that it isn't dynamic, since it 

8 doesn't reflect the impact that the recommendation system has on the customers once it 

9 is implemented, and may be based on data that doesn't contain current trends. After all, 

10 it is better to predict what the customer will buy rather than what the customer has 

1 1 bought in the past. 

12 A better approach is to run a controlled experiment against the actual customer base. 

13 First, the pool of customers is split at random into different segments. Next, each 

14 approach under consideration is used exclusively to make predictions for a given 

15 segment. Once the trial period is over, each system is given a score based on how 

1 6 valuable its recommendations turned out to be (this could be measured by total sales 

17 generated, for example, or by the number of times a customer made use of a 

1 8 recommendation). 

1 9 (2) Human Expert in the Loop 

20 

21 Although quantitative methods can automate the validation process to some degree, at the 

22 beginning of many projects there is so much raw input data available and so many 

23 decisions that have to be made about the analytical approach that an automated 

24 process would have to test a prohibitive number of combinations of data, algorithms, 

25 and parameter settings to get optimal results. In such cases, it is useful to employ a 

26 human expert who understands the psychology and nature of the particular domain 

27 being analyzed. 

28 Such a person will have intuition about what is and isn't relevant for his domain. For 

29 example, a movie expert might be called in to work on a movie-recommendation 
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1 system, for which an immense amount of input data is available. In choosing relevant 

2 fields for analysis, the expert's understanding of cinema would lead him to include the 

3 director's name and numbers of Oscars awarded, whereas the exact length (in minutes) 

4 of the movie would be, in his estimation, irrelevant and therefore excluded. 

5 Once the analysis is complete and recommendations have been made, the expert's 

6 opinion (based on a qualitative understanding of the domain) can be used to guide which 

7 particular combination of settings, chosen fi:'om a list of candidates with detailed test 

8 outputs, should be used for the recommendation system. 

9 (3) Combined Human/Quantitative Method 
10 

1 1 There is certainly no reason why both approaches couldn't be used in combination. 

1 2 Many data sets include fields that are extremely noisy or simply irrelevant to a given 

13 problem; a human expert can be employed to pare the data set down to a reasonable 

14 size and dimensionality, using his domain expertise to create a data model reasonable 

15 for the proposed analysis. Next, automated methods can be used to fine-tune the 

16 parameter settings and to choose which subsets of the input data are the most usefiil. 

17 Finally, the human analysts called back to qualitatively evaluate the results of the 

1 8 fine-tuning, making the decision to either start a new iteration of the analysis, or to 

1 9 certify that the process is complete and ready for commercial application. 

20 13,1 .2 _The lamworthit System 

21 lamworthit is an application of Secure Data Literchange to business-to-consumer 

22 (B2C) e-commerce, where individuals perform transactions on-line through interactions 

23 with the server machines of on-line vendors, hidividuals interface with the servers of 

24 vendors via local user client machines, networked at present over the hitemet, although this 

25 is not a necessary infrastructure for the invention. 

26 lamworthit allows individuals to receive payments for the information that is 

27 collected by an SDI client proxy and stored in the central SDI data warehouse, for data 

28 mining purposes. lamworthit also allows individuals to receive payments in one-to-one 

29 interactions with vendors in return for providing vendors with information that allows them 
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1 to make an appropriate offer. Secure data interchange supports the useful exchange of 

2 information between agents without allowing vendors to collect and distribute information 

3 about users without the knowledge or permission of users, as is possible now via the system 

4 of cookies and affiliate networks, such as that operated by www.doubleclick.com . hi the 

5 system of lamworthit vendors benefit through well-targeted advertising (both push and 

6 pull), the ability to customize information and services (even to first-time customers), and 

7 access to a large database of information about buyer purchasing habits. Individuals still 

8 release profile information to the central SDI database for the purposes of controlled access 

9 by vendors, and also provide vendors with profile information during interactions and allow 

10 vendors to execute queries on information and receive the benefits of personalization 

1 1 without directiy accessing the information. Users can maintain multiple pseudonyms and 

12 profiles, but within SDI vendors can still access information across pseudonyms and use 

1 3 cross- web (broad) and single- vendor (deep) information to build robust models of buyer 

14 behavior. Buyers benefit through personalization with privacy, and financial rewards in 

1 5 retum for releasing profile information. 

16 Within B2C e-commerce, secure data interchange can also support a system of 

17 time-of-purchase competition, which allows an individual to use the profile management 

1 8 capability of SDI to provide vendors with information about a user at the time of purchase, 

19 and allow competing vendors to offer the same product at a better price, or a better product 

20 (for the user) at a good price. With time of purchase small entrants to the marketplace can 

21 make counteroffers to users tiiat are about to purchase a product or service fi*om another 

22 vendor, and can compete in small parts of the marketplace without investing heavily in 

23 advertising and brand awareness. Time-of-purchase requests can be made by user clients to 

24 iamworthit, to request tiiat iamworthit cascades purchase requests onto other vendors, 

25 collects responses, and then retum them to user clients. This extension of SDI is discussed in 

26 Section 2.1. 

27 As a commercial strategy, one might make it a necessary condition of belonging to 

28 lamworthit that client machines submit profile information to the SDI central data 

29 warehouse, so that vendors can perform useful data mining and then provide customized 

30 products and infomiation to users, for example based on models of collaborative filtering. 



Page 155 of 381 



SUBSTITUTE SPECIFICATION 



1 13,1.3.1 System Overview 

2 Client machines in lamworthit implement an SDI proxy on-top of a user's regular 

3 web browser. The role of the proxy is: 

4 a) Profile and identity management as the individual interacts with server computers 

5 of on-line vendors. 

6 b) Collect and manage profile information, with information periodically submitted 

7 to the central SDI data warehouse. 

8 c) Release profile information to vendors according to profile management policies. 
9 

10 In lamworthit the client-side SDI proxy is configured by users to periodically push 



1 1 information collected about the user to the central SDI data server, i.e. click stream data, 

12 profile information, purchases made, information requested, etc. Profile information is 

13 associated with price-rules, as in the top-level description of SDI, and can also be adjusted 

1 4 with random perturbations to protect the identity of a user under multiple pseudonyms. 

1 5 The client periodically sends update messages to the database, for example with information 

16 about new activity (e.g. web browsing, -purchases, adverts not selected, etc.) SDI allows 

17 the information to be used by vendors to build models that enable good personalization of 

1 8 products, services and adverts. 

1 9 Users might choose to randomize profile information to protect sensitive information 

20 and to prevent vendors linking users across different pseudonyms. Clients submit perturbed 

21 data points and the distribution that was used to generate the noise (see the section on 

22 random noise perturbation) . 

23 13^1 .3.2 Privacy-protected data mining 

24 Vendors can gain access to profile information in the central SDI data warehouse, as 

25 long as they meet the criteria of the agents that submit information on behalf of users, and 

26 pay the price of data access. The profile information can allow vendors to build complex 

27 models for personalization, negotiation, and advertising, based on information about 

28 purchases made by different types of users. 

29 Users submit profile information to a central database that can be used for profiling, without 

30 revealing their identities. Client-side SDI proxies track user activity on-line, across multiple 
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1 sites, and submits data, randomized if necessary, and only according to a user's preferences 

2 to the central SDI data server. The data is useful for building models of buyers, for example 

3 purchasing patterns, for the purposes of personalization of information and adverts. Agents 

4 that submit information retain ownership of the data. 

5 Simple data mining queries include: 

6 (a) Compute the average income level of people purchasing camcorders. Suppose 

7 that a vendor has pseudonymous identities of its recent customers, and wants to 

8 compute their average salary. It does not know the salary of any of the customers, 

9 and individual customers will not release their salary to the vendor. However, if 

10 some of those customers have provided information about their salary to the 

1 1 central SDI data warehouse then the vendor can compute the result to its query. 

12 Agents might associate price rules with information about their salary that allow a 

13 vendor to query that information so long as the identity of the agent is not 

14 revealed, i.e. so long as the salary is provided anonymously. We described earlier 

15 in the patent description how price rules can define different prices for different 

1 6 types of information access. 
17 

18 (b) Compute the total donation to a fund for bone cancer research. Individuals do not 

1 9 wish to release information about their specific charitable donations, but might be 

20 happy to release that information anonymously. Again, a query to compute an 

21 average donation can be formulated and executed in the central SDI data 

22 warehouse. 

23 
24 

25 (c) Perform collaborafive filtering across multiple fields. This is explained in more 

26 detail below, and is possible within SDI because a general query can be 

27 performed so long as the querying agent makes payments for data access in 

28 accordance with the price rules of agents which submit information to the shared 

29 database. Note also that randomly perturbed data does not prevent the 
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1 computation of -correlations between fields, so long as the random perturbation is 

2 "small" with respect to the value of the data record. 

3 13.1 .3.3 Innporting Off-line Data into the Data warehouse 

4 The central SDI server can associate off-line information about a user with a 

5 user's on line pseudonymous profile, even though the central server does not know the 

6 user's pseudonym IDs. This can only be done with the user's consent, and may also 

7 involve appropriate compensation. Within the system of iamworthit we can credit users 

8 for both off-line and on-line information. 

9 Merging a marketing database with SDI user profiles can be useful both to initialize 

10 the database, for example when asking a user questions to generate an accurate user profile 

11 rapidly and efficiently. Off-line data can also add useful richness to on-line profiling 

12 information, which may be largely contextual and low on details/factual information. For 

13 example, off-line data can include information such as whether a user owns a car, rents an 

14 apartment, has house insurance, life insurance etc. SDI can also extrapolate correlations to 

15 other user profiles, on the basis of common SDI-profiles, for example using statistical 

16 techniques. 

1 7 It is often the case that individual customers appear in some databases, but not in 



1 8 others. Under normal circumstances, an analyst working across different databases would be 

19 faced with a large number of incomplete customer records, each with gaps corresponding to 

20 the fields of the databases to which they don't belong. A solution to this problem is offered 

21 by SDI, which is capable of drawing correlations between different databases - this 

22 information can be used to generate predictions to fill in the gaps of incomplete customer 

23 records. The result is a full set of customer records that can be meaningfully sorted or 

24 filtered by any of the combined fields, and which can now be handled as a unified set of 

25 data, suitable for use by standard database analysis systems. 

26 In a typical example, SDI might be used to combine a demographic database, such 

27 as the one offered by the Econometrics Corporation, with a commercial database, such as 

28 the one offered by Claritas. The Econometrics database consists of 180 million different 

29 customer records, but at a fairly coarse-grained level of detail, consisting of such 

30 information as age, gender, family status, location (at the state, city, or zip code level), and 
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1 personal income. In comparison, Claritas offers a smaller base of customers, but includes 

2 information of arguably higher quality, since it breaks customers down to the geocode (sub- 

3 neighborhood) level, and includes much more detailed information on personal spending 

4 habits across hundreds of different purchase categories. A logical reason to combine these 

5 databases would be to supplement information about customers in the vastly broader 

6 demographics dataset with particular predictions about their personal preferences and likely 

7 commercial spending habits. One could imagine using this augmented data set to support a 

8 web site that instantly customizes itself to new visitors' preferences. Since the number of 

9 records in the Econometrics database is equivalent to roughly 72% of the population of the 

10 United States, it is likely that most first-time visitors to the site will already have a 

1 1 'thumbnail sketch" in the system, and can thus be greeted with an page appropriately 

1 2 configured to their personal tastes. 

13 The technical details of the combination process (which have been described 

14 elsewhere in the patent) to a large degree depend on the amount of overlap between the 

1 5 databases, that is, the number of customer records which are shared in common. 

16 Suppose the demographic databases' fields are coded (xl, . , xn), and the commercial 

1 7 databases' fields are coded (y 1 , ., yn). Suppose fiirther that customers in set A appear only in 

1 8 the demographic database, customers in set B appear only in the commercial database, and 

1 9 customers in set C appear in both. 

20 The process of supplementing the fields of customers A depends completely on the 

21 derivation of the distribution f(yl, ., yn | xl, . , xn), which describes the correlation of fields 

22 in the commercial database on fields in the demographic database. As previously discussed 

23 in the patent, different techniques may be used to create this distribution, depending on the 

24 size and variety of C. 

25 As a concrete example, one could imagine that set C includes customers firom rural 

26 areas. The demographic database would reveal that, although their incomes aren't huge 

27 relative to the national average, they tend to spend a lot of it (i.e. are active consumers), have 

28 large families, and purchase large vehicles. The commercial database might show that they 

29 enjoying hunting magazines and Ford trucks. If they live inland, they buy hunting 

30 equipment, if they live near the ocean, fishing equipment. 
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1 If these trends are dominant in set C, they will impact the distribution function. 

2 Thus, when a browser from a small town in Texas with a typical income pattern visits the 

3 automated website, he could be greeted with discounts on truck accessories and a small 

4 sidebar with news on the hunting season. On the other hand, a visitor from a small town in 

5 Maine might be given the same truck discounts, but would have news on the fishing season. 

6 Although the demographic dataset is arguably the weaker of the two in terms of content, die 

7 fact that it contains even a small amount of information on most people in America makes it 

8 very valuable for handling first-time visitors, since most of them will appear in it. By using 

9 SDI to leverage the more detailed information in the commercial database, we are able to 

1 0 supplement the rough demographic data with predicted commercial preferences. This allows 

11 us to construct more detailed thumbnail sketches for each customer, allowing our reception 

12 of first-time visitors to be much more appropriate (since knowing personal hobbies or 

1 3 interests tells us much more about a person than general income level). 

14 4^ 13.1.3.4 Static Query Execution: Central Applications 

1 5 Some key applications of SDI are: 
16 

1 7 o Assessing the Value of Data. Plug together sets of data, and measure predictive 

1 8 accuracy. 
19 

20 o Matching Data Across Vendors. Find patterns in common pseudonyms, denoting 

21 common areas of interest; use catalogues of order codes and item description to 

22 find similarities across data sets. 
23 

24 o Targeted Recommendations; e.g. match customers to their nearest neighbors in a 

25 data set and generate recommendations for users, collaborative-filtering style 

26 application. 

27 

28 o Leveraging Portal Data. Use data from portal to leverage data needs for ISP 

29 
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1 o Analyzing Affinities. Suppose a vendor has a list of customers, and knows to 

2 some degree what web pages they visited after leaving vendor site. A large 

3 collection of customers taken from an ISP will contain their web-surfing behavior. 

4 Cluster web sites and cluster customers, finding cluster-to-cluster interactions. 

5 Use this information to classify vendor's customers; gives vendor an edge in 

6 knowing customers' tastes. 
7 

8 There are a number of search-based applications, where SDI searches for appropriate 

9 profiles and then requests that SDI makes contact with the users pseudonymously, i.e. 

10 without the vendor receiving any useful information about a user's identity. The contact, 

1 1 interaction, and business relationship with the vendor occurs under terms of complete buyer 

12 pseudonymity. In accordance with the parent patent application [INSERT US PATENT 

13 No.] the pseudonymous communication may be either — _email, real-time text 

14 communications, voice (such as the pseudonymous telephony or Internet telephony). In the 

15 case of pseudonymous telephony, instead of a one-time or persistent pseudonymous buyer 

16 address, pseudonymous buyer telephone numbers may be used for the third party to reach 

1 7 the buyer under his/her terms. Example applications include: 

1 8 (i) Financial Advice and Financial Planning Services. Often buyers are quite 

1 9 sensitive about the confidentiality of the release of this type of information 

20 related to personal financial matters and particularly with certain matters (and 

21 perhaps in general) prefer that their financial advisors were unaware of their 

22 true identities. Similarly, investment advice or sales communications by stock 

23 brokers are another application where similar buyer information is typically 

24 disclosed. 
25 

26 (ii) Insurance Agents & Brokers. For many types of insurance, (e.g. health, life, 

27 casualty) personally sensitive information is disclosed by buyers to their 

28 agents and brokers. Initially, before insurance services are purchased, it is 

29 possible that useful detailed quotes and/or insurance advice could be provided 

30 to a buyer pseudonymously. 
31 
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1 (iii) Legal advisors. There are a variety of legal disciplines in which the associated 

2 legal services delve into highly sensitive personal information (e. g., 

3 bankruptcy law, divorce law, criminal law, etc.) Many lawyers also offer to 

4 first-time prospective clients a free consult in which such a privacy-enhanced 

5 communications system could be initially beneficial to the parties. 
6 

7 (iv) Family Counseling and Psychological Counseling. The parent patent 

8 application also suggests these applications which often involve the exchange 

9 of highly confidential personal information. 
10 

1 1 (v) Medical Consultations hivolving Drug Prescriptions. In this variation, 

12 although medical consultation may be conducted anonymously, in order for a 

1 3 physician to prescribe medication, the identity of the patient must be known 

14 (within the current regulatory legal requirements). 
15 

1 6 (vi) Advertising network (where the clustering or nearest neighbor algorithm 

17 interact with the ad server). Ads on that ad server's database, e.g., on the sites 

1 8 most fi-equently visited by the user are periodically uploaded to SDI such that 

19 the ad(s) of highest predicted interest to the user is presented upon the user 

20 visiting that site. Preferably the target object profiles of all the ads on the ad 

21 server database, as well as the profiling algorithm, which is used by the ad 

22 server is properly integrated with that of SDI so that it is possible to convert 

23 the usage statistics of the data model used by the ad network (which may 

24 include ad server data for users collected across the ad networks) into useful 

25 statistics for SDI. 
26 

27 (vii) Content sites, e.g., for personalizing news articles (which are again uploaded 

28 to the SDI server each news day if those articles would not otherwise be 

29 available on that web site. If they are, as with any web content format which 

30 is universally accessible, the content may be fi*equently profiled following 

3 1 retrieval, e.g., by a simple web crawler script. 
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1 

2 (viii) Portal Sites - As detailed in the parent case, the user profile may be presented 

3 to the information vendor server containing the portal site. The selection and 

4 prioritization of the most relevant personalized content categories may be 

5 automatically determined at the client level proxy, which is conveyed to the 

6 information vendor server in order to personalize every aspect of the portal 

7 interface. It should be noted that without the vendor's cooperation (with SDI) 

8 the interfaces of portal sites and content sites could be automatically modified 

9 at the client-level proxy in order to provide the personalization of selections to 

1 0 the user (from the user's perception as if the personalization was dynamically 

1 1 generated on the site itself). However, ad servers/ad networks could not be 

1 2 personalized as easily without privileged access to the ad database (unless the 

1 3 ads from that site were recorded and stored in the ISP-level proxy from other 

1 4 users visiting that site). 
15 

16 (ix) Rating Sites. The ISP level proxy may also contain metadata relating to 

1 7 specific sites, products or informational content (as an alternative to the 

1 8 metadata residing on the HTML pages, which they describe through 

19 cooperation with the vendor). Such metadata includes annotations, average 

20 user ratings, according to a variety of attributes, as well as the ability to 

21 browse Web pages with associated annotations and/or user ratings provided 

22 from those users who are identified by either: a user-selected cluster, or the 

23 user's profile or high or low ratings according to site selected. Endorsements 

24 (and ratings by a variety of relevant criteria) by a variety of types of 

25 organizations may be available as well, and browsing and searching may be 

26 performed with these organizational endorsements/ratings as a criteria to bias 

27 or filter searches or filter the sites accessible via browsing interface (the same 

28 may be also performed for user based ratings as well). 
29 

30 (x) Cache Engines - As an alternative to the profile generation and processing 

3 1 modules running on the network vendor (ISP) servers, it may operate instead, 
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1 or in combination as a distributed process upon the caching server in 

2 accordance with the method taught by ''Broadcast System for Reduced 

3 Memory Devices and Asymmetric Networks", (check exact title of this 

4 patent) As taught in this patent (in accordance with the current applications) 

5 the pages predicted to be accessed by the user on the following day are 

6 precached in advance. 
7 

8 Typically sites which tend to be visited most frequently are assessed for 

9 selections which are personally relevant but have never been previously 

10 accessed. These would be presented as recommendations to the user if^when 

1 1 he/she visits that site (which is also probabilistically determined). The fact 

12 that the recommendation (whether generated by the site itself or modified at 

1 3 the client level proxy), the user's behavior is positively being reinforced by 

14 the fact that the ranking of personal recommendations is prioritized in direct 

1 5 relation with the prioritization scheme for precaching, i.e. personalized 

16 recommendations and precached pages are substantially identical and as a 

1 7 result of precaching to the server, or even the client, can be accessed by the 

1 8 user with little or no latency (thus in the ideal embodiment it may even be 

19 advantageous to highlight the links \yhich have been precached). 

20 In a preferred commercial model, the techniques which are above described, 

21 that meta data containing profile information on the pages are encrypted such 

22 that a cache engine that is used to precache cannot be decrypted and read by 

23 certain caching engines which do not possess a desired business relationship 

24 with iamworthit. In another implementation, other competitive intermediary 

25 services to iamworthit may not be able to decrypt and read these web page 

26 profiles in order to present personalized information to the user (even if the 

27 competing protocol were pursued, the accuracy of the iamworthit version 

28 would be substantially more accurate due to its ability to leverage vendor 

29 centric SDI data from the host level proxy. 
30 

3 1 (xi) Auto Insurance Application 
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1 Co-pending patent application entitled "Applications for a Location Enhanced 

2 Information Architecture" describes a location-enhanced framework by which statistical 

3 methods are used in order to very efficiently and confidently extrapolate the most 

4 relevant attributes in predicting automobile accidents (or the avoidance thereof). The 

5 correlations from some of the existing metrics used may be refined using this technique 

6 e.g. LEIA is able to accurately determine the number of miles a buyer drives per week 

7 while the buyer will often lie about this, thus the basic model may be refined and more 

8 accurate information may be provided on a per-buyer basis. The scheme also enables 

9 completely new metrics to also be identified and utilized as well which may correlate the 

10 attributes location with time. It is conceivable that if a buyer provides access to this 

11 location-enhanced information by an insurer, that the insurer could in turn offer 

12 premiums, discounts or deliver credit to the buyer which could be added to monetary 

13 credit the buyer receives for personal information fi-om iamworthit, for example, an 

14 iamworthit implementation which uses LEIA to profile and target buyers with ads by 

1 5 their location (e.g. while riding in an automobile). 
16 

1 7 (xii) Hospital example. 

1 8 In one data application of the client level proxy server, the user profile includes medical 

19 data which is obtained fi-om medical records, (such as fi-om hospitals or physician's 

20 medical records or potentially that of a health insurer). Typically, various physician's 

21 offices and hospitals which a patient (hereinafter "user") has visited over the years 

22 contains separate portions of a user's overall medical history, thus these various sources 

23 may be combined upon the user's request by downloading this data to the client-level 

24 proxy (or preferably, the user enters into a contract with those organizations in which all 

25 medical data and updates thereof are downloaded by the organization and/or an "agent" 

26 to the organization which transmits a request which is digitally signed by the user at the 

27 client-level proxy server. The origin of the request (the user) is authenticated and may 

28 be processed by a human or another agent located at die organization's host computer. 

29 Because of the highly sensitive nature of medical data, there are potential user privacy 

30 advantages in using randomized aggregates. For example, a user's age, medical history 

31 of specific relatives (particulars of which could be more generalized) genetic data, 
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1 numeric values associated with various medical tests, results for which are a numeric 

2 value. This data may be of relevance to pharmaceutical companies, alternative medicine 

3 vendor and clinics insurance companies hospitals physicians, clinics and home health 

4 care providers, the latter three of which may wish to advertise to patient prospects and 

5 extend their medical practices. The privacy architecture herein provided is a critical 

6 component for enabling access to user data by these commercial entities and is perhaps 

7 critical to the extent that users must explicitly authorize the transfer of medical records 

8 from either the physical copying or electronic duplication of an associated transfer of 

9 such information to an intermediary (SDI) which is trusted by the user. 

10 (xiii) Medical information, such as medical conditions, medical history, active 

1 1 prescriptions, drug reactions, family history, possibly even genetic pre- 

1 2 dispositions (from a genetic profile). Medical insurance information may also be 

1 3 potentially useful for a prospective qualified accessory to be able to readily access 

1 4 in case of an emergency. 
15 

16 (xiv) Physical location information — Users or advertisers could, for example: a) 

1 7 Query a pseudonymous user database to access profiles that are in close physical 

1 8 proximity and match certain criteria, e.g. live in a certain geographical region, had 

1 9 recently attended a meeting or event (or is planning to attend a particular event) 

20 had recently communicated with a friend or associate. In another variation, a user 

21 could for example, submit a query pertaining to every user in a particular physical 

22 space, e. g., a room, hotel or convention center, e. g., identify all users present 

23 here who attended Internet World, 1 995. 

24 13^1 .3.4^5 __Buyer Infomediary 

25 The central SDI data warehouse can be used by vendors that provide services of 

26 buyer infomediaries, for example providing buyers in B2C e-commerce applications with 

27 historical information about previous purchases of users. At present companies such as 

28 www.priceline.com make profits because many individuals post take-it-or-leave-it buy 

29 offers for goods that are above the reservation price that vendors are prepared to accept for a 



Page 166 of 381 



SUBSTITUTE SPECIFICATION 



1 service. An information infomediary, based around information submitted by users about 

2 previous successful or unsuccessful bids would provide for a more efficient marketplace. 

3 A buyer infomediary system can be built as an application of SDI to providing bid prices for 

4 agents in electronic marketplaces which are agent-mediated and allow dynamic pricing, for 

5 example the nascent marketplaces of on-line auctions, www.ebav.com and on-line reverse 

6 auctions, www.priceline.com . 

7 13,1 .3.42 __Seller infomediary 

8 On the flip-side, the system of SDI can also be used to support third-party 

9 infomediaries for sellers, that make their business by performing data mining on the 

10 information in the shared data warehouse, and can sell that information onto other vendors. 

11 It is possible to identify useful pricing models, based on historic purchase information from 

12 many different individuals. 

1 3 The system of SDI can also be used as a confidential database for the purposes of 

14 generating statistics from sensitive data. For example, as a trusted system, manufacturers 

1 5 might be willing to provide information about their productivity, margins, retainment rates, 

16 production efficiencies, yields etc. The central SDI server could generate statistics, globally 

1 7 for the manufacturing sector, and then individually for each manufacturer — as it relates to 

1 8 the information provided by other companies. Similarly, it would be possible to use such a 

19 system to compare salaries across different universities. While an individual university 

20 might be reluctant to reveal information about its pay-scales to other universities, in the 

21 aggregate this information is not sensitive — and a survey on salary can be useful to both 

22 employers and job candidates. SDI is used to securely calculate statistics, without revealing 

23 any information that might compromise the privacy of a single employer. 

24 13^1 .3.35 _Personalization Application. 

25 Personalizing information on-the-fly requires that a vendor has a data model, for 

26 example that clusters its current user-base according to what they are likely to be interested 

27 in. We can allow vendors to execute queries, for example clustering algorithms on profile 

28 information, that use all the information submitted to the data base by users without 

29 violating privacy policies of the owners of that information. This can be done by returning a 

30 classifier, that will place new profiles into relevant clusters, and provide information about 
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1 the likely interests of a particular user. Given this classifier, we describe in Section 3, 

2 ''client-side data mining", a method that allows the vendor to compute the results of a 

3 personalization algorithm on the profile of an agent without receiving that profile. Simpler 

4 methods might either run such a personalization query in the central SDI data server, or 

5 release some profile information to the vendor. 

6 Vendors are assured that all enabled users (who are subscribed to iamworthit) will 

7 receive highly personalized recommendations for their products, services and advertising 

8 access fi"om their site, (and because many sites are migrating towards providing also a 

9 fiill-blown niche portal with content, chat and forums,- personalization of this 

10 information is enabled as well). In addition to leveraging click-through navigations and 

1 1 transactions captured from their own customers during present and previous visits to their 

12 site, iamworthit provides the unique advantage of being able to utilize the user's web- 

13 wide profile consisting of a variety of attribute types upon accessing the site in order to 

14 leverage statistical correlations captured by the integration of the statistical models of the 

1 5 vendor, with that of Iamworthit. If stored on the SDI main server, the iamworthit data 

16 captured at the client level or ISP-level proxies is typically concatenated with the data 

17 sets of the vendor captured from the host- level proxy (maintained at the vendor's host 

18 server or if SDI enabled at the SDI main server)__This is particularly important for first- 

19 time visitors to the vendors site and particularly within vendor domains in which content- 

20 based merchandise (e.g. books, magazines and news subscriptions) are sold. Assuming 

21 the number of iamworthit subscribers is substantial enough and assuming that the present 

22 business model involves a "relationship" between 

23 iamworthit and a vendor of reconraiender systems and/or (at an arms length) the 

24 vendor-centric SDI service, this advantage alone could impose significant pressure upon 

25 the vendor to deploy a recommender system(s) which interoperates with iamworthit (or 

26 subscriber to SDI). Content sites, news sites, and web portals, etc. can provide 

27 personalized information to users by subscription to the system of SDI, which provides 

28 access to customer profile information. 
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1 13.1 .3.6_4 Example: Customized Web Pages. 

2 Analyze customers for broad preferences in choice of web pages visited (corporate, 

3 Star Trek fan, etc.). This defines the initial look and feel for the page that greets them at their 

4 portal (a teen might enjoy lots of bright colors and sound clips, an investor would prefer a 

5 more staid design); different "skins" could be created to match the major categories of 

6 customers, and would designate both the graphical design and modules available on the 

7 page (e.g., a working stock-ticker for an investor, a real-time weather map for a jogger). The 

8 web pages and information most frequentiy accessed by a customer would be given priority, 

9 and a hierarchy of usage could be developed. Since stock prices are of the highest 

10 importance to an investor, a ticker reflecting his portfolio value would stream across the top 

11 of the page. However, although he enjoys spending his profits on vacations and 

12 automobiles, these are only of secondary interest to him (as revealed by his on-line 

13 behavior), and so are relegated to a sub-menu on his web-page. As his usage changes, the 

14 priority level assigned to the modules would change as well, so that when a jogger 

1 5 purchases a treadmill for indoor running, his weather reports won't dominate the top-level 

16 screen. 

17 Small children could have simplified browsers, with extra-big buttons and access to 

1 8 pages pre-screened by a "web-nanny" service. 

19 SDI would be used in the initial phases to group customers into general categories 

20 based on their patterns of their web surfing, and would be used in later phases to adjust the 

21 content and style of their portal home-pages (based on what similar customers seem to be 

22 enjoying). SDI can improve upon this rule engine-based model by giving far more 

23 information about the users who tend to perform certain actions on their sites. Moreover a 

24 second (outside) vendor which is syndicating products or advertising on the vendor's site 

25 could (upon fiirther approval of the hosting vendor) use data mining of the hosting vendor's 

26 site and based upon explicit actions of users on his/her site and/or the user's profile ascribe 

27 rules for more explicit criteria for targeting these remote prospects. Of course, response of 

28 users provides a means for iteratively refusing these rules explicitiy (or alternatively 

29 implicitly). 

30 The Secure Data Interchange clearly offers significant potential value to a vendor 

3 1 licensing rules engine in many ways. As an additional example, many vendors also use a 
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1 site traffic reporting tool in order to analyze traffic patterns through their sites. It is very 

2 helpful for vendors to analyze, for example, how often certain pages become clicked-on or 

3 transactions occur or conversions occur, how moving the link may affect (typically improve 

4 ) these patterns and how certain rules (which may dynamically create links or move links) 

5 affects these pattems. Of course, observing the movement pattems of users throughout the 

6 site helps the vendor better understand user's perception of the relatedness and natural 

7 progression of page accesses throughout the site. This is particularly so if different rules are 

8 experimented with such that optimal click-through or transactions occur particularly for key 

9 pages or purchasables. Adding to this statistical data SDI user profile -information is able 

10 to reveal (via data mining) much more robust relationships between pages as these 

1 1 relationships change with user profile features. Accordingly appropriate rules may be 

12 provided for individuals based upon this general user profile information which is gleaned 

13 fi-om interests and behavior before visiting the site, i.e., either fi-om the user-centric or 

14 vendor-centric SDI (while the user visits the vendor's site or alternatively accesses an 

1 5 affiliate site). 

1 6 In another variation of SDI we can highlight content on web pages with information 

1 7 that might be relevant to a user, even when the source of the web page is not personalized. 

18 This can be done via collaborative fihering techniques, which might bring in feedback and 

1 9 comments fi-om other similar users within SDI that are stored in the central SDI database. 

20 The iamworthit (user side) SDI database in cooperation with the vendor centric SDI 

21 service can sell to the vendor centric SDI service or other industry or market research 

22 organizations strategic information about the comprehensive behavior activities and user 

23 profiles of visitors and customers of these vendors (as is suggested earlier in the spec). 

24 Additionally, targeted survey questions may be presented on behalf of these entities in 

25 order to extract fiirther information which may be correlated with certain features and 

26 attributes of these users. One such method, rapid profiling is detailed in the parent 

27 application [INSERT US PATENT NO]. 
28 

29 Vendors can utilize SDI's data mining interface to observe content and product 

30 consumption affinities based on user profiles describing Web wide behavior. This 

3 1 interface may also enable vendors to observe comparative click through and/or 
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1 transaction rates of their competitors, how these criteria are affected by user profile 

2 attributes including geographic criteria (if relevant to that vendor) as well as how these 

3 criteria, (including even individual multivendor customers) are affected by various types 

4 of recommender and rule based engines and further the particular rules and weighted 

5 feature correlations used in generating these recommendations (again as described above, 

6 these rules and feature relationships may be derived automatically through a core sample 

7 of users, who are iamworthit subscribers). A vendor can use statistical data to tune 

8 certain features and implement certain rules, either directly or with the help of a user 

9 centric SDI analyst. Moreover, direct real time response feed back may be collected on 

1 0 these manipulations to the data model in iterative fashion. 

1 1 13.1 .3.7§ _Example: Ad networks. 

1 2 The system of SDI provides a method for an advertising network which allows 

1 3 users to receive personalized adverts that are relevant to their lives, and also allows 

14 vendors to boost profits by placing one-to-one adverts instead of the traditional broadcast 

1 5 nature of advertising in media such as television and newspapers. Each user can receive 

16 adverts that are tuned to his/her profile, but without losing control over the information in 

1 7 that profile. In fact, a user can configure price-rules to receive payment for receiving a 

18 well-targeted advert. The trusted secure data interchange can operate as an "ad network", 

1 9 allowing for the placement of well-focused banner ads to market goods that are relevant 

20 to users of a particular content site. Electronic banner ads provide the potential for one- 

2 1 to-one marketing, when the advertising agency has information about the user that has 

22 just hit a site, together with information about what the user is doing local to a site. For 

23 example a car manufacturer is able to place a focused advertisement to a user that has just 

24 performed a search for new cars in a search engine, to a user that is known to have a large 

25 family and a high disposable income. 

26 Ads can be targeted to iamworthit users based upon their user profiles. Ad 

27 networks can use the profile information in SDI to target ads and reach their target 

28 customers. Ads can be targeted with statistical data across multiple vendors that are 

29 subscribed to SDI. Statistical data can also be used to determine estimated revenues for a 

30 vendor if she/he were to interoperate with iamworthit and subscribe to SDI. 



Page 171 of 381 



SUBSTITUTE SPECIFICATION 



1 SDI might develop a decision tree to decide how to assign adverts to users with a 

2 particular profile. Within SDI we can track users across multiple domains, to allow fine 

3 level control over ads that the user sees. 

4 There are two possible business models. Firstly, an Internet content provider could 

5 purchase access to information placed by vendors and users within the Secure Data 

6 Interchange database. This information may be "rented" for a period of time, and then 

7 whenever a user visits the site of the content provider (possibly through the pseudonymous 

8 proxy server), the provider can query the data interchange for information about the user. 

9 The Internet content provider sells well-directed advertisements to vendors. Secondly, the 

10 data interchange could sell or rent data to an advertising agency directly, providing 

1 1 information in real-time to enable the advertising agency to provide more focus in its banner 

12 ads for its clients. "Per-transaction" pricing is a very powerful pricing model that is enabled 

1 3 with on-line banner ads. It is simple to monitor the number of click-through that are received 

14 at a particular banner, in response to an advertisement. In the off-line world pricing must be 

1 5 based on the number of impressions, or worst still, the number of mailings sent- and it is 

1 6 more critical to understand the expected value of a campaign up fi-ont. 

17 The proxy server could also act as an "ad network" itself, and sell focused 

1 8 advertisements for vendors, and purchase ad-space on the sites of content providers. The on- 

19 line domain provides this unique opportunity for quick experimentation with advertising 

20 strategies in order to get feedback on the likely utility of untested approaches. The system 

21 can use a hierarchical cluster tree to identify the most revealing items in a dynamically 

22 responsive fashion such that the profiles of all of the selections can be generated with the 

23 most minimal amount of interactions with the user (see "Rapid Profiling" section in issued 

24 patent entitled "System & Method for Customized Electronic Identification of Desirable 

25 Objects). Thus a more robust statistical model across multiple vendors is established as a 

26 result of the user's click through response of these intelligentiy selected virtual banners as 

27 well as other pages which are subsequently navigated through once the remote site is 

28 accessed via the banner. 

29 In the preferred approach rapid profiling not only dynamically identifies and 

30 presents items which are most revealing of the other items in the collection, it also selects 

31 the users whose profiles suggest the greatest familiarity with tiiese items (i.e., potentially 
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1 correlated items). Furthermore, if the system's objective is to find new users or users who 

2 may be interested in the present vendor's other products, products for which little is known, 

3 then it will match users who are least familiar with exemplar items. The idea is to reveal the 

4 most significant data about the user profile with respect to the present collection of items of 

5 interest. Finally, rapid profiling can use direct explicit queries to determine interest on an 

6 item(s) or to collect demographic data on a user. 

7 The target object profiles of advertisements on the ad server are matched against the 

8 user profile in order to automatically present the most relevant recommendation(s). 

9 Typically, the client-side proxy requires -the host-level proxy to disclose the target object 

10 profiles of the products/services sold by the vendor. This data is stored as -meta-tags in 

1 1 XML form and is encrypted. This data can be very usefiil to the user in navigation, filtering 

12 and search activities in the fixture or in a variation the ISP - level proxy a party (a neutral 

13 server) could store these target object profiles and selectively disclose relevant pieces of 

14 them (e.g. genre cross-correlations) to vendors, which are considered according to the 

15 disclosing vendor's data disclosure policy acceptable to receive this data. These profiles 

1 6 are not accessible to the client-level proxy but may be disclosed only if there are restrictions 

1 7 within the vendor's data disclosure policy. 

1 8 In another variation, if the data to be disclosed to the vendor is acceptable to the 

1 9 original vendor but she/he is untrusting -of the vendor, the data is received by the host-level 

20 proxy (another neutral third party) instead of the vendor, thus providing the disclosing 

2 1 vendor with an additional level of security, assurance about the use of his/her data while 

22 enabling the users of such a site to access all of the merchandise or content in a completely 

23 personalized fashion. Thus tiiese XML tags are stored in association with, but on a separate 

24 server fi-om the actual -HTML pages stored on the vendor's site. Additionally, these profiles 

25 are constantiy updated by user profile data conveyed to the host-level server which operates 

26 in distributed fashion. 

27 Advertisers may also stipulate additional rules relating to the delivery of ads to 

28 buyers in conjunction with performance of certain explicit actions e.g. submission of certain 

29 search terms, visitation of pages with certain key words (as a general tendency or on a per- 

30 page basis), visitation of certain specific pages or sites, performance of certain location 

3 1 specific behavior the delivery of which could be performed in accordance with the real-time 
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1 behavior by the user if desired (e.g. visitation to a competitor's retail outlet or traveling 

2 within the proximity of the vendor's own store), otherwise the presently suggested 

3 algorithms may automate most of these manual functions by virtue of its recommendation 

4 capability e.g. matching ads to the most appropriate list of buyers or matching ads to 

5 metrically similar Web sites which may appear whenever the buyer visits that site(s). 

6 Ads may also take the form of digital coupons [KRJM 98] which are priced by 

7 vendors according to behavioral information which the buyer is willing to disclose to this 

8 vendor. Because many buyers are adverse to viewing additional advertising which is 

9 "imposed" in the preferred embodiment, any inserted ads delivered by iamworthit can be 

10 "tumed off' by the buyer voluntarily unless the in kind value which the buyer receives in 

1 1 exchange for the advertising mandates a certain minimum ad impression delivery. Also in 

12 light of the above buyer concems in the preferred embodiment, there are no additional 

1 3 impressions added to the buyer's web browsing experience. 

14 Ad blocking technology can be deployed to block existing banners and replace them 

1 5 with iamworthit ads. Ad blocking is commonly available, and the techniques used are well 

16 known in the art. The HTML source for the ad banners may be either called-up from the 

1 7 remote server (such as with an ad network) or altematively from an ad server (typically 

18 purchased by the vendor) on the vendor's own host server. In either case, the ad blocking 

19 software typically recognize the HTML source which originates from the ad server. A 

20 directory of the HTML source for the various ad servers is maintained with the ad blocking 

21 software (and presumably updated e.g. if new servers are added or change their IP 

22 addresses). The location/physical dimensions of the portion of the page occupied by the 

23 HTML source which the software removes (its "footprint"), may be readily replaced by 

24 another replacement banner (by iamworthit) from wherever the proxy server resides 

25 (typically on the client but potentially on the network). As a result of a potential difficulty 

26 in which the ad server deliberately changes its IP address to avoid recognition, which occurs 

27 constantly and dynamically, it may be possible to recognize portions of the page which 

28 contain image "features" of ad banners, which are inserted from another HTML source 

29 where that HTML source is linked to known vendor sites (which are also linked similarly 

30 from other site's ad servers and/or are known via their HTML sources to have previously 

3 1 utilized ad server technology and a "new" HTML source appears instead, etc. 
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1 This model may be extended to other media domains e.g. replacing digital TV 

2 commercials instead with targeted ads delivered and precached via iamworthit for insertion 

3 at appropriate times i.e. during commercial breaks during standard video programming. 

4 Another variation could be tailored to pre-loading iamworthit advertising to automobiles for 

5 insertion in place of traditional radio commercials. In accordance with the parent patent 

6 application, (and as suggested above), email may be a useful targeted ad delivery medium as 

7 well. Per the patent case, the system is able to classify email (according to its source and 

8 content using implicit or explicit actions of the buyer). Based upon certain desirable 

9 confidence threshold settings, the system may automatically delete "span" and replace it 

1 0 with targeted messages provided by iamworthit which the buyer is paid to receive 

1 1 pseudonymous physical mail is yet another potential source of targeted mail for which the 

12 buyer may be paid in conjunction with the user's voluntary removal from direct mail 

13 marketing services which iamworthit could provide in conjunction, iamworthit' s buyer 

14 compensated targeted advertising model could be extended to a pseudonymous 

15 telemarketing service (as suggested above) using one-time call session pseudonymous 

16 telephone numbers for telemarketers to reach desired buyers. Finally, human sales persons 

1 7 could be the "ad delivery medium" for iamworthit. 

18 13,1 .3.§8_ Example: Dynamic personalization of links within a web site 

1 9 Wide user profile data can also enable the dynamic personalization of links within 

20 a web site, to create a virtual shop floor to match the predicted preferences of each user. 

2 1 For a new user, that has never before visited the site, it is very advantageous for the site 

22 to already know about the preferences of that user in order to personalize the goods and 

23 services that it offers. The information provided at the secure data interchange, and 

24 gathered from the transactions of a user with another vendor, is vital for this type of 

25 personalization to first-time users. For retum customers, an Intemet site can also leverage 

26 its is information that it has collected from previous interactions with the user, 

27 information that is collected locally to the site. 

28 13,1 .3.7-9 Personalized Search Engines 

29 The present state of the art for search systems involves the use of an extremely 

30 static interface, which is not personalized for a user. In the previous patented disclosure 



Page 175 of 381 



SUBSTITUTE SPECIFICATION 



1 [INSERT U.S. PATENT NO.] we identify features of a user and anticipate areas of 

2 content likely to be of interest. A personalized portal interface can then allow a user to 

3 view categories that are presorted in terms of expected value to a user, based around 

4 more than the search term just entered. 
5 

6 For example, if AltaVista knows that I am a research student, then the search 

7 engine can bias results in the direction of information that is likely to be appropriate to 



8 my interests, and away from other items. The personalization and filtering can be done 

9 based on results that I have accessed in the past, and also on the basis of information that 

10 is stored about a user in the shared SDI data warehouse. It is possible to greatly increase 

1 1 the relevance of the search results through eliminating and prioritizing the potential range 

1 2 of results from the query. 
13 

14 Within the system of SDI, where more information is readily available about a 

15 user, we might now also look at what a user is currently doing, his/her professional 

16 expertise, skills, proficiencies, etc., the reason for the user asking the question, for what 

1 7 purpose was the question asked, for what purpose will the results be applied (if relevant), 

1 8 what is the geographic and/or time period content of the query, what type of content does 

19 a user prefer, e.g. humorous, wisdom/council, scientific, political, business oriented. 
20 



21 In this way we can begin to incorporate contextual content into search. We might 

22 also allow users to contact other users who are determined to be experts in particular 

23 areas browsed, with this information dynamically discovered by queries into the SDI data 

24 warehouse. 

25 Collaborative filtering can help to identify individuals with a close affinity to a 

26 particular site/vendor, and community of interest or interest domain such, so that they 

27 can be informed of opportunities to act as experts and receive referrals on demand. This 

28 added ability to bring new content more efficiently and timely could be very valuable. 
29 

30 Another simple extension is to provide personalization to the results from a standard 

3 1 search-engine. For example, we could use a user's profile to perform additional filtering of 
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1 the results of the search to refine the pages returned on the basis of their profiles and the 

2 user's profile, i.e. using collaborative-filtering/clustering style techniques. 

3 13.1.3.&10 Smart Browsing: Personalized Annotations, Filtered Information. 

4 We can also introduce personalized annotations to pages that are displayed to a user, 

5 with annotations selected to reflect the interests of the user, for example as provided by 

6 special-interest groups sharing affiliated profiles, or as provided by other users. A couple of 

7 definitions for this section: exemplar - the profile of target object or (as pertinent to 

8 following description), user profile which is "most like" the profile of the cluster to which it 

9 belongs, perhaps a median metric. 

10 The Platform for Privacy Preferences (P3P) [CR 98; RC 99] provides for the ability 

1 1 to utilize XML meta-tags to annotate -Web pages, and within a system such as SDI we can 

12 allow comments fi-om previous visitors to a page to add annotations. Users can receive 

13 annotations fi:-om the SDI data warehouse that are associated with annotations provided by 

14 other users with similar profiles. One of the divisional applications of the parent case 

15 "System for Customized Electronic Identification of Desirable Objects" [Herz 98b] relating 

16 to the automatic creation of virtual communities suggests that users may be automatically 

1 7 assigned to particular communities (e.g. chat groups, forums, etc.) for this purpose. 

1 8 We might allow users to rate the annotations in the pages, allow SDI to leam how 

1 9 usefiil annotations provided by certain users are to new users, and classify users as "experts" 

20 that receive priority in the position of their current and fiiture comments. Future conmients 

21 fi-om users with a poor rating history for a particular content cluster may be deleted. A 

22 persistent interface feature on the tool bar or side bar can provide for annotations to also be 

23 accessed by users selecting certain profile features of users as they browse fi*om page to 

24 page; for example a user could identify the comments of a news article about abortion by 

25 users who are self identified as advocates of the Women's Rights Movement, ultra 

26 conservative senior citizens, teen women or those with a strong interest in altemative 

27 medicine or the Catholic Church. 

28 The parent case [Herz 98b] further suggests that users may actively provide ratings 

29 in a completely privacy protected manner according to various criteria of pages they browse. 

30 Profile-based clustering of these ratings and annotations can allow a user to submit as a 
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1 query a user profile, to receive a page that rates or annotates a page, and a listing of highly 

2 relevant pages to a particular type of user. This could also be used in a "reverse engineering" 

3 sense, for example requesting the exemplar user profiles for users that visited and gave high 

4 ratings to a particular site, and then using those profiles to find similar sites of interest, or 

5 finding the user features that are in the exemplar profile to understand something about the 

6 content of a web page. The browser interface may automatically display the related links 

7 that are determined dynamically to be most relevant to a user, again statistically estimated 

8 via the data in SDI of users' browsing habits, and/or via active page recommendations or as 

9 book marks by those users as being of particular relevance or similarity to the present page. 

10 Browsing methods may include search-based browsing, and also browsing via a 

11 hierarchical navigation menu system, with users classified according to their behavior 

12 patterns and/or ratings which have been actively submitted. The parent case [Herz 98b] also 

13 suggests the use of hierarchical clustering for products, to help in a smart shopping system. 

14 Similar products can be presented together where the feature criteria for creation of the 

1 5 hierarchical cluster tree could be price or other criteria. In addition to allowing users to view 

1 6 item selections according to desired selection criteria, a comparison shopping fijnction can 

17 also allow a user to view the attributes of- buyers that tend to buy certain items to help to 

1 8 add confidence to a user that he/she is getting the right product. 

1 9 The above description also describes the use of a hierarchical menu through which 

20 groups of users may be identified by their profile features (wherein a profile feature could 

21 even be a rating criteria itself of for example, an opinion via a site survey). These features 

22 could be used to either selectively filter-out content which falls outside of that criteria as the 

23 user navigates the information or identify ifi^when pages encountered where these user rating 

24 features are present, thus displaying this user statistical information in conjunction with the 

25 ratings statistics and/or associated annotations if desired. 

26 We can allow the user to use one or more organizations to provide features and 

27 annotations to help in a search and information interpretation process, to add appropriate 

28 filter and bias to information presentation as a user browses the Web. Similarly, a user might 

29 adopt the endorsements of a fiiend for annotations, and editorial content about particular 

30 pages. 
31 
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1 The availability of feature information about individuals that provide high ratings 

2 for particular Web pages can also be useful for vendors that wish to find appropriate 

3 locations for their advertisements. For example, given an "ideal profile" of a consumer 

4 for a particular product, a web page/type of information can be determined that will be 

5 useful to find appropriate customers. This is an alternative method to providing adverts to 

6 particular individuals, instead choosing to provide adverts to limited information domains 

7 that attract appropriate users. Vendors may request additional information, such as site- 

8 specific page view correlations (including time spent viewing each page) in accordance 

9 with user features. Exemplar user profiles and attributes of those users are certainly of 

10 interest to vendors to which those sites belong as well as affiliate sites on which their 

1 1 advertisements and/or syndicated products are advertised and sold remotely. 
12 

13 We can also profile users with context information, for example based on their 

14 assumed goals (social, business, personal, etc.), information which can be determined by the 

1 5 nature of their current activities. 

16 In an interesting extension we can allow users to contact other users that are 

1 7 browsing similar material with similar profiles in real time, allowing ad-hoc virtual work 

18 group formation. Of course, all of this is done within the carefully managed profile and 

19 privacy managed systems of SDL The location of a user could play into decisions about 

20 physical meetings. Typically some users may wish to enter into a present (or future) 

21 dialogue, which can be scheduled via calendar agents, which perform automatically 

22 scheduled compatibility meeting/introduction functions. 

23 It is also reasonable to provide the technique of collaborative filtering to identify 

24 users whose profiles are particularly similar to the material which is being viewed, e.g., 

25 those users who are determined to have a high proficiency level with regards to that 

26 particular material. Because the requesting user may be seeking to query the expert or seek 

27 edification on that material, typically same consideration is conveyed in exchange for- that 

28 information, hi a variation, a more data exchange may be provided if 

29 collaborative filtering identifies fairly similar users to the presentiy viewed material which 

30 also demonstrate, via their profiles, considerable complementarily in the particular 

31 knowledge which they are likely to possess. Vendors may also and 
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1 facilitate this type of information exchange on their -sited between these complementary, 

2 (yet metrically similar) customers. 
3 

4 In a consumer-vendor commerce application of this form of interactive browsing we 

5 can allow users to enter into dialogues with vendors based on their profiles, and share 

6 experiences with vendors, regarding their experiences. This can be done in real-time, or 

7 statically within an iamworthit style system architecture, where a user receives financial 

8 incentives for providing information that is useful to vendors. 

9 The parent case [Herz 98b] suggests that organizations (e.g, vendors, etc) may be 

10 rated by multiple users across and according to a variety of relevant attributes. One useful 

1 1 extension is to group descriptive opinions of users according to their profiles, certainly users 

12 with a particular type of profile are likely to have affinities towards certain sites and certain 

13 content. It can be usefiil to example how the assessment of user's varies according on their 

1 4 profile information. 

15 Another variation is to suggest a three-dimensional interface to allow useful 

16 diagrammatic representations of the information and meta-information that a user is 

17 presented with. The parent case [Herz 98b] describes a method to reduce the 

1 8 multidimensional characteristics of feature and annotation information to only 3 dimensions, 

19 and present that information graphically, via a technique of principle-component analysis. 

20 The profiles of the target objects associated with a user's preferences are represented as 

21 points in 3-D space within a navigational interface. Nodes may also be displayed according 

22 to category and sub-category. Views may also be restricted to user's with the same goals, 

23 i.e. business users, social users, etc. this mind-set can be inferred by the sites that a user is 

24 visiting, for example. 

25 la.l .3.911 Smart Interface to On-line Discussions. 

26 The present description provides a methodology by which it is possible to apply 

27 techniques of statistical NLP for purposes of enabling users of live discussion groups and 

28 bulletin boards to dynamically visualize concept (via automatically generated labels short 

29 summaries or even visual representations of the concepts). The parent patent [Herz 98b] 

30 describes a browsing implementation in which it is possible for a user to view an on-line 3- 
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1 D layout of a "virtual mall" in which the multi-dimensional space of the object profiles of 

2 the items are collapsed into three dimensions. Further, the display may be customized to the 

3 user's profile by -using as the vantage point the position of the user's profile within the 

4 space. 

5 We can use information retrieval, pattern matching, and collaborative filtering 

6 techniques to refine information based upon the particular relevance feedback fi-om those 

7 particular individual engaged in a discussion. The novel interface enables the extraction of 

8 text segments firom all previous discussions. These (multi-discussion) segments are 

9 essentially grouped into clusters and the clusters are representative of "concepts". The 

10 statistical fi-amework is further used to determine what clusters (concepts) tend to follow in 

1 1 sequence what other clusters. Because conceptual flow in human language is quite complex 

12 and perhaps somewhat relative to the individual, it is usefiil to provide different interface 

13 settings, e.g., for example one which is tailored to the individual (i.e., the layout of the 

14 conceptual flow based upon statistics taken fi-om all individuals which are generally similar 

15 to the interest profile of the present user what it would be for certain types of user profiles as 

16 explicifly indicated or what it would be for flie collection of user profiles of tiiose 

1 7 individuals within the present discussion groups (or if two individuals, the user profiles), 

18 The large statistical information stored in SDI may be useful for the purpose of 

19 guiding discussions in a chat or forum context. Individuals may use the system in order to 

20 guide flie flow of their own thoughts (where it is tuned to their own personal profiles) or that 

21 of what a particular individual with which they are corresponding at that moment (or in this 

22 case ideally both of their profiles) or (to appeal to the overall discussion forum or chat room) 

23 the collection of user profiles in tiiat discussion forum. Again, in a variation, the system 

24 may be tailored to give additional weight to the particular historical experiences of the 

25 individual or group, thus if implemented in this way to the individual, the system may act in 

26 a similar capacity to a remembrance agent. 

27 13,1 .3.12_+ Example: Vacation Package System 

28 A vacation package organizer decides to begin a large-scale marketing campaign to 

29 target those people who would be the most interested in joining a new Caribbean Cruise. 
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1 Although the vendor has a database of current customers, it is interested both in increasing 

2 the number and suitability of its potential leads. 

3 Interfacing with the secure data interchange with which it is a member, the organizer 

4 identifies several possible sources of supplemental data: a LEIA-based travel discussion 

5 group, an on-line bookstore, and a Caribbean restaurant. These are found both by browsing 

6 through the interchange's internal list of members, and by using SDI-based data analysis 

7 tools, used within the interchange to automatically identify entities sharing common 

8 characteristics. 

9 The package organizer then contacts each of these entities through the interchange. 



10 and negotiates different data-sharing deals: the travel discussion group is willing to 

1 1 exchange full information for a large travel discount, the on-line book store is willing to 

12 reveal the pseudonyms of users who have bought travel books in exchange for a per-sale 

13 commission, and the restaurant is willing to sell its entire database for a flat fee (and will 

1 4 provide an aggregated data set as a sample). 



1 5 The vacation package organizer now chooses fairly basic data-mining algorithms to 

1 6 identify the individuals with the greatest potential interest in a Caribbean vacation; however, 

1 7 the organizer does splurge on a new neural network approach developed by a small software 

1 8 company. On a per-sale commission, the Software Company is willing to loan the vacation 

1 9 package organizer use of its data mining code. 

20 First, the organizer decides which data sets to use. The initial results on the 

21 restaurant's aggregated data aren't so good (its customers turn out to not be very affluent), 

22 so the organizer declines the purchase of the fiiU data set. However, it does agree to the 

23 conditions asked by the travel discussion group and the on-line bookstore. 

24 The data provided by the discussion group and on-line bookstore, being in a 



25 common format, are moved in a secure fashion to the interchange's processing area, and are 

26 acted upon by the data mining tools, which are also in a compatible fomiat. As per the 

27 agreement, the interchange forwards discounted Caribbean cruise offers to the members of 

28 the discussion group, and forwards standard promotions to targeted individuals in the book 

29 store's customer list. A few of these individuals respond favorably; these electronic transfers 

30 of money and passed back through the interchange, which slices off a commission for the 
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1 book store before passing the accepted offers back to the tour organizer, who learns the 

2 identities of the customers and can now count them as part of its database. 

3 This protocol specification could even be digitally signed by the "owner" of the data 

4 as proof of ownership of the data and its associated restrictions by the owner, i.e., effectively 

5 a "digital deed" which is both legal and untamperable by any other party and thus acts as a 

6 legally binding proof of ownership and terms/conditions dictating how that data can be used. 

7 13,1 .3.123_ Example: A Forum for Political Views and Discussion 

8 The information within SDI can represent user's political views, and be used as a 

9 very advanced political polling system that respects the privacy concerns of users. For 

10 example, a user can state that information is released anonymously and that no identifying 

1 1 information is ever released. That said, within the iamworthit system an individual with a 

12 current and complete political profile could receive a steady income stream from semi- 

1 3 automated focus group queries. 

1 4 Taken one step further, it could then also be possible to identify for a user candidates 

1 5 which are believed to be a close match with a user's political profile. Expert opinions could 

16 be used to determine the individual issues and relative weightings (indicating relative 

1 7 priority which those issues assume within the politicians political priority scheme) as well as 

1 8 levels of extremism in views to political issues. In the preferred implementation a listing of 

19 different politicians is presented in conjunction with a percentage which reflects the degree 

20 of similarity among- the views of the user and those of each politician as listed in descending 

2 1 order or similarity. The user could drill down and observe a -redistribution of the percentage 

22 based on particular desired political issues, or the user could observe the distribution under a 

23 variety of different user profiles. The system may also take aggregate statistics from other, 

24 various types of individuals and or organizations. That is to say each individual can, on a 

25 voluntary basis, disclose as much personal information, be it explicit or implicit disclosure 

26 (form his/her user profile data base), in order to create a more robust and comprehensive set 

27 of statistical relationships. 

28 The system could also ask the users presently to indicate which actual candidates 

29 they selected; thus collaborative filtering recommendations can indicate, for example, which 

30 candidates users with certain political issues-related profiles -tend to vote for (even what 
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1 other individuals, exactly like the present individuals, tend to do in this regard), or 

2 conversely, what political issues voters of certain particular candidates tend to claim to 

3 subscribe to. The system may also identify what characteristics (political or other wise) are 

4 most prevalent or alternatively most unique to individuals which share an affinity for a 

5 particular candidate or a particular issue, or the system may recommend candidates based 

6 on existing candidate affinities. 

7 The techniques of the parent patent [Herz 98b] may also allow a synchronous -and 

8 asynchronous discussion with other individuals containing certain profiles (or identical 

9 profile characteristics). Again the pseudonymous server may be usefijl in this regard. The 

10 present system may also enable rating of candidates, in which various types of individuals 

1 1 (in aggregate) rate the candidate according to different criteria, characterizing the candidates 

12 on issues such as strengths or weaknesses. This is a usefiil polling example, the ratings may 

1 3 be revealed -according to various types of individuals. 

14 13,1.3.134 ^Example: A "Virtual" Jury 

15 The judicial process attempts to be as fair and equitable a possible by allowing a 

1 6 jury of "peers" to be entrusted with the responsibility of evaluating the guilt or innocence 

17 of a particular -individual as well as to determine the degree of liabiUty, the penalty and 

18 degree of financial compensation which justified in light of the circumstances. The 

19 information within the system of SDI could be used to store information about users, 

20 explicit and/or implicit information based on their browsing habits, and offer a service, e.g. 

21 in civil cases for jury selection based on characteristics of individuals. In a criminal case the 

22 "virtual jury" may be used in addition to a real jury, to provide additional feedback on a 

23 case. The virtual jury may be paid by the plaintiff to participate, e.g., in the case. The 

24 feedback fi-om the virtual jury may be presented to the judge and/or an actual jury before its 

25 own deliberations and verdict. In a novel variation- the virtual jury may even hedge bets 

26 upon its conclusions such that if they contradict the conclusions of the actual jury but are 

27 later determined to be correct tiie members receive compensation. The advent of live 

28 streaming video greatiy facilitates the feasibility of the current methodology. 

29 In a variation, it may be possible to apply the techniques of collaborative filtering 

30 towards automating the selection instead of those individuals which are representative of the 
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1 most diverse possible groups and clusters of individuals a cross a wide range of criteria 

2 (including such criteria as psychographics, ethnicity, intelligence, social status, etc.) hi fact, 

3 subject to some changes in the law, this approach would be a more efficient means of 

4 selecting a standard jury than the process of random selection. 

5 In one variation, the virtual is selected based upon similarity to the 

6 plaintiff, hi another, it may of individuals which are individually similar to both 

7 plaintiff and dependent on more effectively a combination of individuals who are similar 

8 individually to the plaintiff and the defendant respectively. It is believed, in addition to guilt 

9 innocence, a more equitable assessment of the monetary compensation which is provided to 

10 the plaintiff by defendant-, it such a equal mixture of empathizers from both sides 

1 1 constitute a virtual jury. 

12 iai .3.146 Example: Group Therapy 

13 There is a very useful and appropriate application for SDI to the automatic matching 

14 of individuals for purposes of group therapy. Individuals with commonality across many 

1 5 criteria can be selected, and multiple long-term groups adopted, hi an application of this 

1 6 system, it may be possible to broadly extend the present scheme to the general public (where 

1 7 privacy is secured via the proxy server) and -individuals may identify a group(s) which best 

1 8 fits their own unique emotional needs. It may also be useful to archive the sessions, index 

19 enabling the sessions and segments thereof to be searchable by keyword, e.g., via speech to 

20 text techniques and/or browsable by topical segment (which may be automatically 

21 segmented and labeled). The present system may also provide an ideal framework by which 

22 psychologists may identify patients of other psychologists that similar pseudonymous 

23 complements of psychological characteristics and symptoms, to allow targeted clinician 

24 interactions and robust and useful information fi-om therapeutic approaches and/or drug 

25 treatment regimens. 

26 In a variation, the present system methodology also enables a means by which much 

27 more specialized group session topics may be created which focus upon a very specific type 

28 of disorder, conflict or aspect of the patient's psyche. In this way, it may be possible for 

29 "identicai;i_— patients to, as group, focus upon different aspects of their ideal therapeutic 

30 regimen which collectively create a comprehensive customized treatment program. It is 
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1 worth noting that the specialization possibly associated with particular focused sessions (and 

2 even types of individuals) provides a framework by which clinicians can become extremely 

3 specialized and expert- within certain specific sub-domains of the field. 

4 It is certainly possible to adapt the above described technique for "smart interface" 

5 to provide usefiil ideas and suggestions for patients engaging in either psychotherapy or 

6 group therapy thus leveraging- the information and personal experiences within the 

7 therapeutic processes of the collection of patients precoding -them within similar topical 

8 sessions which shared very similar psychological and pathological patent profiles. 

9 It is certainly reasonable and appropriate to adopt the present application fi-amework 

10 to more several fields of medicine. For example, enabling physicians to identify other 

11 physicians -have had patients with the identical pathological profile and 

12 medical history. This enables them to current medical history and clinical data, 

1 3 insights, observations, etc., in order for the physician to the present clinical based on 

14 the expert advice and collaborative feedback from the other physicians possessing very 

1 5 similar experiences. Likewise patients could instantly access the physician or physicians 

16 which have or had experienced the most similar clinical situations that and the present 

1 7 situation of the patient in order to seek a second opinion. Physicians sharing unique clinical 

1 8 experiences (particularly clinically or scientifically in or series/problematic could use 

1 9 the scheme in order to companies, etc.. Finally one could 

20 also apply the 

21 

22 . 

23 

24 13^1. 3. 1§7 Example: A Personalized Educational Portal 

25 Another interesting application is to develop and- deploy a personalized on-line 

26 informational portal containing everything from helpful links, illustrative content, text 

27 book information, quiz questions etc. The Personalized Educational Portal (PEP) 

28 typically is designed specifically for a particular class and includes several key features 

29 which are optimally applied as part of a comprehensive intelligent educational system. 

30 These features include the following: 
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1 o The ability to dynamically customize all fomis of relevant infomiation from the 

2 educational portal. The criteria for this customization however is based not upon 

3 the preferences of the user (unless for example the user receives credit for studies or 

4 projects or research on topics which s/he may select, rather it is based upon a 

5 predicted profile of the user reflecting his/her strengths and in understanding the 

6 relevant content, hi particular the techniques of the issued patent number 6,029, 1 95 

7 [WHAT IS THIS PATENT NAME] describes a variation of user profiling in which 

8 users are able to achieve a proficiency profile within certain domains of 

9 informational content where these informational domain(s) are determined in 

10 accordance with user's ability to answer a certain question(s) intelligently, discuss 

1 1 the answer to a certain question or about a certain topic or provide a usefiil reference 

1 2 or URL based upon the level of satisfaction of the requestor. This technique in itself 

1 3 could be usefully applied within the present application framework. For example, 

14 users may be students, and "experts" fielding questions could be other students (like 

1 5 tutors of sorts) and the payment they receive may be monetary compensation or even 

1 6 school, credit where other student's satisfaction ratings both qualify them -for future 

1 7 opportunities to submit future responses within that particular knowledge domain 

1 8 as well as means of verification, and measurements of his/her proficiency over that 

1 9 particular material. 

20 o Using the techniques of the parent patent application it is possible to also customize 

21 content delivery (including quantity, depth, and difficulty level) which reflects the 

22 user's strengths /weaknesses within the various relevant knowledge domains. It is 

23 possible to even statistically- correlate tiie user's correct /incorrect responses to 

24 certain questions or types thereof as correlated- with each other by common terms in 

25 the question answer part concurring in similar -textual segments. These questions 

26 may be found in on-line exams or quiz questions associated with the actual content). 

27 It is possible to statistically correlate which content tends to best- remedy certain 

28 deficiencies (as determined by incorrect responses to certain questions) by the user 

29 importance -in being able to readily correctiy answer those types of questions 
3 0 following reading the pages. 
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1 It may also be useful to apply the above technique towards determining -which 

2 exam questions or combination thereof most commonly are revealing (if the student answers 

3 them correctly) of a student's proficiency within a particular small yet well definable sub- 

4 domain of knowledge, i.e. in which statistics show that If the student answers that sub-group 

5 correctly, s/he will likely answer the others in that sub domain correctly as well. 

6 A sub-set of each of -these exemplary questions fi-om each knowledge sub-domain 

7 may be allocated as questions -provided at the end of each relevant section of reading 

8 content- (which may be on-line, off-line or only the responses may be entered on-line, 

9 exclusively and if a wrong response is submitted, the system may recommend reading 

10 certain content which has (as above suggested) been statistically demonstrated to improve 

1 1 the student's proficiency in that sub-domain. It may also be possible to gauge in advance 

12 the students' predicted level and rate of advancement by knowledge domain via on-line 

1 3 psychological testing. Statistical correlations- between these test questions and the student's 

1 4 learning abilities (by knowledge domain) can be usefully developed. 

1 5 The system could even be constructed hierarchically by graduation -of skill levels 

16 i.e. initial mix of questions of varying difficulty levels in order to gauge what level of 

1 7 content to recommend. The questions which- follow are one level higher as is the next set of 

1 8 recommended- content unless improvement is not observed. 

19 It may be possible to a decision tree which automatically select which questions 

20 most effectively test the students, command of the materials (in this way a shorter exam 

21 may actually be better than for longer exams those questions which are more exemplary of 

22 such knowledge may carry greater weight). We could also effectively try to create a 

23 summary e.g. by topics /headings or even using text sunmiarization techniques- submit the 

24 areas of deficiency in one student to another student who is particularly proficient in that 

25 area for virtual tutorial. For this the tutor can receive monetary and/or also -scholastic 

26 credit. The ideal scenario is actually -creating virtual study sessions in which students are 

27 matched together which have the most -different complement of proficiencies/deficiencies 

28 as possible and where these areas of potential mutual exchange benefit are maximized and 

29 are revealed to both students -initially. Other forms of virtual -study groups could be 

30 achieved by grouping students by similar proficiency areas and levels and creating a "virtual 

31 tour" with questions and content presented synchronously to a group of correspondence 
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1 enabled students. In this way, -if virtual tutoring or study groups occurs on-line exclusively, 

2 it may be performed pseudonymously as desired. We can even take a defined study group 

3 and assign it to group projects which can (again) relate to content to which the group is 

4 (collectively) deficient, (as group oriented problem solving has been proven to be extremely 

5 effective in remedying such deficiencies. 

6 - In a very novel application, it may be possible to even statistically using historical 

7 data to analyze the -relative proficiency profiles of students by knowledge domain (perhaps) 

8 even fiirther by, learning ability in those domains by teacher. Thus a virtual class could be 

9 constructed using live streaming video which are truly customized to each student's 

10 particular needs and abilities, i.e. the idea would be before the semester to identify which 

11 teacher(s) were most successful in eliciting the highest levels of achievement among 

12 students which have an identical profile to that of tiie student (such statistics used in this 

1 3 profile may include but are not limited to the proficiencies / grades of the student in all other 

14 previous classes, psychological testing and/or (selective) knowledge domain proficiency 

1 5 questions (as above described). 

16 Certainly depending upon such investor's personal preference, it is reasonable for 

1 7 each to agree within their personal data disclosure policies to disclose to SDI data regarding 

18 the types of investments, amounts and under what conditions (including those conditions 

19 stated by other investors such as the example above). The conditions for this disclosure, 

20 however, would be that no individual data be disclosed to another investor, i.e., that it be 

21 used only for SDI to be able to reveal aggregate statistics and predictions how the 

22 investment community, in aggregate, interacts with investment opportunities, and under 

23 what conditions, and in exchange for this disclosure, each investor earns the right to access 

24 this aggregate data. The individual investor or SDI, acting on behalf of that investor, may 

25 then suggest the best terms and conditions with which to negotiate with other investors, in 

26 order to optimally achieve their own desired objectives, part of the condition statement to 

27 SDI could also include the amount of money to invest in each synergistic investment 

28 opportunity which SDI typically would suggest to the investor based upon the relative 

29 distribution of its presently invested funds, size of the available non-invested funds as well 

30 as the relative risk/benefit proposition of the company to tiiat investor (as estimated by 

3 1 SDI's use of company data as disclosed to that investor). SDI can even recommend or act 
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1 as a proxy, in negotiating with the individual companies (who themselves could use an SDI 

2 negotiating agent representing their own interests). E.g., SDI, acting for the investor, could 

3 leverage considerable information about not only, the present investment opportunity, but 

4 literally all other investment opportunities which had been submitted to SDI for 

5 consideration by SDI affiliated investors. Based upon the total benefit which the investor 

6 stands to gain which is based, in turn, upon the SDI recommended comprehensive 

7 investment strategy) and the relative downside (relative risks compared to other alternative 

8 prospects within the total pool of investment opportunities) may be used to determine basic 

9 parameters in which the investor or its SDI proxy would be willing to deal, e.g., the amount 

1 0 of funding, the associated amount of equity as well as other more subjective factors such as 

1 1 amount and nature of control, the use of the funds (e.g. will they be used for a particular 

12 technology product or service which, if developed, offers the primary degree of benefit to 

13 the investor's existing company(s). It -is also worth noting that SDI may identify those 

14 prospective investors whose collective cooperation would result in an economically optimal 

1 5 scenario for that investor. SDI, acting on behalf of the collective group of investors, may 

16 recommend data disclosure terms to each individual investor (or its SDI proxy) which will 

1 7 optimize the probability that the coalition resulting from the cooperation of all or most of the 

1 8 recommended participating investors will optimize the economic benefit to that individual 

19 investor. This data could be no more than predicted value (including marginal value) that 

20 particular investor would achieve the desired coalition were to be formed. Based on this 

21 data the investors or their SDI proxies could negotiate with one another in order for each 

22 investor to strive towards its own individuals best interest while attempting to assure that the 

23 global objectives of the coalition are ultimately achieved. E.g., that not only the best 

24 investment opportunities within this optimal global plan are funded but also the least 

25 desirable as well (of course this information would be concealed fi^om the companies at least 

26 until the negotiations are concluded). Accordingly, the relevant investors may wish to 

27 compete with one another for the best investment opportunities within this global plan or 

28 SDI with their unanimous cooperation again acting in their collective best interests may as a 

29 coalition assign investment opportunities to each investor assuring them each equitable 

30 treatment and, of course,... no competitive bidding for a given investment opportunity 

3 1 (which, of course, would result in ultimately more favorable terms to the collective group. 
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1 In this preferred application (of non-competitive bidding) the SDI agent for the 

2 collective group achieves a commitment from each prospective investor in the group that 

3 within a range of prospective terms, each investor would be willing to commit its 

4 participation in the proposed investment opportunity. Accordingly, each company 

5 (assuming there are more than one) also agrees to a predetermined range of terms with 

6 which it would be willing to accept from the collective group of investors. Both sets of 

7 information (typically recommended by the SDI representation each associated party) are 

8 disclosed to the main (party neutral) SDI entity. If overlap exists in the range of terms or the 

9 ranges are close to one another, the introduction and negotiation between the parties 

1 0 becomes initiated (through the company(s) are not made aware of whether the overlap exists 

11 or is merely 'Svithin the general proximity" of accept 

12 introductions on the interest of the parties (though most 

1 3 markedly the companies) 
14 

15 13.1.3.1§8 Example: A "Group-Think" Ideas Market 

16 In the consumer driven market place there is a significant unrecognized 

17 opportunity in being able to hamess the intellectual capital of the consumer market. 

1 8 Historically, (in a non-networked environment) leveraging of such knowledge has been 

19 impractical and virtually infeasible due to the inability to identify and measure this 

20 resource of human skills (and thus match this skill with in the appropriate matching 

21 problem)with the particular types of problems which companies may be in need of new 

22 ideas and solutions as well as the lack of a trusted intermediary which can validate on an 

23 impartial including basis the authentic contributions of the provider of the information (as 

24 not having been claimed by the recipient after the fact as having been previously 

25 conceived before). Of -course, there are remaining obstacles such as the fact that 

26 important problems are sometimes maintained confidential within a company (not even 

27 disclosed to some its own internal staff). 

28 With the emerging of extranets a certain amount of inter-organizational 

29 knowledge leveraging is becoming more readily achievable. A secondary advantage over 

30 an extranet is because of its ability to act as a trusted intermediary. It can validate the 
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1 fact that that the individual is only dealing with one commercial entity and not its 

2 competitors (at least formally). Thus unlike extranet based knowledge leveraging it is 

3 conceivable a trust relationship enabling a certain amount of privileged information 

4 disclosure is at least theoretically possible. 

5 In the preferred embodiment, SDI retains a record as to the particular 

6 problem/solution sets that were successfully or unsuccessfully provided by users in the 

7 past in order to improve predictions as to their abilities to successfully address the same 

8 types of problems/needs in the future as well as to more accurately determine the 

9 "similarity" of different and (perhaps often apparently) disparate problems from the 

1 0 standpoint of the user's ability to solve problems based upon knowledge of their ability to 

11 successftilly (or unsuccessfully) solve others SDI is entrusted with the knowledge of 

12 particular needs of organizations (it may, for example, cooperate with Think Task 

13 companies). These needs are commonly oriented ideas (though not exclusively so), for 

14 example, suggestions or ideas for product development, marketing, a business model or 

1 5 concept (such as a new business direction), content creation, technology or even potential 

16 commercial customers or strategic partners. In lieu of identifying particular problems to 

1 7 which an organization may be desiring a solution, users may instead provide their own 

18 ideas and/or solutions to needs or problems which they perceive SDI vis-a-vie its in- 

19 depth knowledge of the internal needs and problems of numerous entities is thus able to 

20 determine the relevance of the suggested solutions or ideas or alternatively identify a 

21 particular organization which is likely to possess matching need which is relevant. 

22 13.1 .3.179_ Experimental Validation of New Models: A Test-Market 

23 The system of Secure Data Interchange can be used for a test market application, 

24 where the effect of a vendor's new collaborative-filtering based targeting model, or new 

25 pricing model, or advertising campaign, can be tested by simulation and "hold-out" 

26 testing. 

27 A small sample of users can be targeted, and the results measured and reported to a 

28 vendor, before a vendor conmiits to an extensive campaign. This may provide a cheap 

29 method to test market conditions for a product, and run tests on sample groups selected on 

30 the basis of similarity to other products for which buyer response is known. Random 
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1 sampling of buyers may be initially performed using data mining as applied for marketing 

2 research. Based upon this initial response vendors may identify key features of respondents 

3 which are typical buyers, non-buyers, proponents, non-proponents, etc. Accordingly, rapid 

4 profiling (as similarly) may enable the automated or semi-automated selection of disclosed 

5 segments of users (containing particular attributes) which are likely to have relevant 

6 properties. The user selection process may be iterative based upon responses fi"om users as 

7 they are selected. 

8 We can demonstrate this value experimentally, for example we can offer a vendor a 

9 fi-ee-trial and present personalized information/advertisements to one group of SDI users 

1 0 (both on the site and if desired also across the network), and regular advertisements etc. to 

1 1 another group without the aid of SDI. The increase in vendor revenue can be estimated 

12 from client-level monitoring of the change in purchase volume achieved with well-focused 

13 solicitations on the vendor's own business. Other prospective ads and syndicated 

14 purchasables could likewise be virtually overlaid on the vendor's site. Thus degree of 

1 5 increased click through rates, transaction rates and syndication revenues could be tabulated 

16 for that vendor in advance of his/her subscribing (or even being solicited) to SDI. Portals 

17 are also potential beneficiaries of this service in light of their need to better target their 

18 partner's ads. 

19 The ability to the tailor a targeted marketing strategy to users knowing these 

20 correlations could- be extremely beneficial in both on-line as well as off-line commercial 

21 environments. In the process of selecting the target user profiles significant value may be 

22 achieved firom data collected fi"om that vendor's own on-line presence, and a portion can be 

23 sold to other similar vendors; as discussed in the main description of SDI, this now forms a 

24 cached query which can be used by other vendors. 

25 We might also demonstrate value to vendors with SDI by monitoring the 

26 performance of vendors with SDI technology, and providing metrics for new vendors to 

27 allow them to select suitable models of user targeting and personalization. Vendors that 

28 subscribe to SDI (the vendor centric version) can provide more attractive offers/products 

29 to users, based on information about the wider activities/interests of a user, on other 

30 vendor pages, and in the physical world (of course, only to the extent that this 

31 information is authorized by the user). Vendors can use information in the central SDI 
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1 data warehouse for users' cross vendor and within vendor browsing and purchasing 

2 habits, and also with respect to profiHng information about a user. 

3 One key application is first-time personalization, so that information and products 

4 can be targeted to a user when he/she first hits a web page, based on profile information 

5 that the user is willing to release. Vendors and users may also sell this information to 

6 other vendors. For example, information that a user likes a particular type of music is 

7 very valuable for vendors that sell content-based products, for example books, and CDs. 

8 Vendors can personalize their service, for example with coUaborafive-filtering based 

9 recommender systems. 

10 13.1 .3.4-820 Example: An Efficient Product Delivery System 

1 1 _The parent- issued patent [FILL IN THE PATENT NO.] describes an application of 

1 2 collaborative filtering to the strategic optimization of a vendor 5 business, for example to 

13 allow a vendor to select an optimal location for an inventory warehouse based on projected 

14 consumer purchasing patterns; using the aggregate purchase history of users at that site 

1 5 compared with the other purchase selections at other sites for similar users. The model can 

16 also be used to predict demand for new items, and optimal locations for inventory given 

1 7 warehouse locations. 

1 8 Now, within SDI the vendor can have control over two things: 

19 1 ) the vendor has access to profile information about users 

20 2) the-vendor has a method to personalize and annotate on a dynamic basis the 

2 1 presentation of products to a user. 

22 In common with the smart caching application of SDI to making communication 

23 networks more efficient, we can suggest an application to a product delivery system. At any 

24 moment a seller can have a good idea of the products that are available, and even the 

25 products that are in trucks etc., close to a prospective customer. This information allows the 

26 vendor to selectively present items that are close to the user, with labels such as ''this is 

27 within 30_minutes of your door, NOW'\ Messages like this allow a vendor to manage its 

28 delivery process, because predictions can be made about likely purchase patterns, and then 

29 stock that is brought close to user locations can be explicitiy advertised to those users. 
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1 Essentially, we attempt to predict transaction volume on a per item basis, and then 

2 positioning geographically physical inventory storage facility locations where inventory can 

3 be stocked so that items which a user is predicted to request are already located within the 

4 immediate physical proximity of that user. 

5 As the trend to disintermediation continues (whereby we have informational 

6 middlemen, but not middlemen that physically hold products) we can allow vendors to 

7 notify portal intermediaries of product location within SDI, so that the portals can then pass 

8 this information onto customers. 

9 The key role of the SDI system in this application is to allow users to receive 

10 personalized recommendations of products, and also product locations, based on their 

1 1 profile information — ^but without the vendors receiving that profile information, hi addition, 

12 the shared information about user profiles in the data warehouse allows vendors to build 

13 good models for inventory location. Finally, SDI can act as a trusted intermediary between 

14 different competing vendors: for example suppose Amazon users bookstore A and 

15 bookstore B to provide books, and A and B do not wish to tell each other where their 

1 6 products are. The stores tell SDI where the books are, and SDI presents that information to 

1 7 users on a per-book basis, as books as browsed within the purchasing system. 

18 There are numerous useful applications to improving quality, speed and cost of 

1 9 delivery to a user. In one example, it may be possible to provide same day delivery for on- 

20 line purchases. We could also restock a truck on the basis of what a local population of 

21 users are likely to purchase; with items presented to a user along with a particular 

22 anticipated delivery period, with the Global Positioning System (GPS) -or more LEIA 

23 [INSERT THE PATENT NO.] on the vehicle providing up-to-date information about a 

24 truck's location and anticipated delivery time. 

25 We might also suggest that a user can physically travel to some location close to 

26 his/her base, based on information within SDI about the user's travel patterns, etc. 

27 Purchasable items can then be located in locations that are convenient for users, or shipped 

28 dynamically to those locations (i.e. intermediate warehousing systems). Users can be 

29 provided with real-time directions to the location of such a pick-up point via personal digital 

30 assistants (PDA) and navigational devices, etc. 
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1 13,1 .4 _Push-based Advertising/Solicitation 

2 Another form of information that a user can submit to the central SDI database via 

3 his/her client is the advertising acceptance functions, which state the explicit preferences of 

4 a user for adverts, and required payments. The level of compensation that a user requires to 

5 receive an advertisement will depend on the relevance of an advert. 

6 An application of SDI is that vendors can use the centrally stored information to 

7 request that as a result of a query the query-execution module in the central SDI data 

8 warehouse sends advertising solicitations to appropriate users, i.e. users that are willing to 

9 receive adverts as specified within their acceptance functions, and willing to release profile 

1 0 information to enable useful advertising as specified in their price rules for regular data. 

11 Figure 15 illustrates the system for push-based advertising. A vendor requests the 

12 right to advertise to users by sending a special type of query to the central SDI data base, 

13 where the query states the vendors preferences for user profiles and requests that adverts be 

14 sent to users. The vendor never receives the contact information for user's directly. The 

1 5 server also receives payments from vendors and credits users' accounts. 

1 6 Suppose Vendor V wants to advertise a new product to relevant users. Vendor V can 



17 use the SDI database to select users with a high predicted hit rate for the advert, and then 

1 8 compute the value of a bid that it is prepared to pay users for the right to provide them with 

1 9 its advert. The vendor makes a request for bids to appropriate users by formulating this as a 

20 query with an associated action, and submits to the central SDI data warehouse where it is 

21 handled by the query-execution module. Part of the query is a bid function, indicating the 

22 maximum amount that a vendor will pay to display an advert. 

23 The query-execution module evaluates the request with respect to the profiles of 

24 each user, the rules that agents submit for allowing access to profile information, and the 

25 advert acceptance functions. If successful the vendor pays the minimum value necessary to 

26 have its ad accepted by the user, again simulating a Vickrey auction as for the dynamic 

27 competition for banner ads described earlier. 

28 For example, suppose a vendor has an advert Ad to push to users, and is willing to 

29 pay up to $1 to place the advert with users that have a predicted hit rate of greater than 30% 

30 on the advert. The vendor can formulate a query that will first- identify users with a 

31 predicted hit rate that is greater than 30%, and then determine which users will accept the 
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1 adverts at the bid price. If successful, the adverts are pushed to the users via the SDI central 

2 data warehouse, and the payment required by each user is submitted, less than $1 in all 

3 cases. In a simple variation, the vendor might also state a fixed budget, so that it does not 

4 send advertisements to more users than it can afford. 
5 

6 We can use the same profile information that provides focused/personalized service 

7 to users that hit a site that they have not visited before to form well-targeted mailing lists for 

8 vendors. The Secure Data Interchange can form mailing lists in a number of different ways. 

9 First, consider a vendor that wishes to send targeted mail to some of its own user-base. 

10 When users connect to a site they indicate whether or not they are willing to receive 

1 1 electronic mail, and provide a "mail certificate" to a vendor if they are happy to receive 

1 2 mail. The Secure Data Interchange can proceed as follows: 

13 (a) Perform analysis for the vendor to determine an appropriate set of users to receive 

14 the solicitation, based on the information that the vendor provides about what it 

1 5 intends to market, and provide the list of pseudonyms to the vendor for mailing; 

16 (b) Perform the same analysis, but also forward the communication to the users 

1 7 directly. 
18 

19 ^Now, consider a vendor that wishes to target new users, represented with different 

20 pseudonyms. Users indicate whether the information that a vendor submits about his/her 

21 transactions may be used for solicitations, and fiirthermore vendors indicate the set of 

22 business interests that can receive the benefit of information that is submitted to the central 

23 SDI server. The SDI server can continue by performing analysis on the relevant subset of 

24 the permitted class of data records that pertains to the product or service that the vendor 

25 wishes to model, and generate a list of appropriate pseudonyms. Finally, the SDI server can 

26 sell the pseudonyms to the vendor outright, together with a certificate that the vendor can 

27 send mail to the pseudonyms, or the SDI server can retain control by sending the mail on 
2 8 behalf of the vendor. 

29 Provide vendors with virtual mailing lists that can be mailed to via the proxy server 

30 only. i.e. these customers should be solicited based on our analysis, (could even give 

3 1 summary info., without revealing details about users). Furthermore, do not even reveal data 
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1 that corresponds to a pseudonym to a vendor because the vendor then has that information 

2 about me when I am on his site. 

3 A central data warehouse also enables vendors to identify new potential customers. 

4 This process is broken down into a number of steps: 

5 (i) The vendor assesses the value of the information present in the secure data 

6 interchange. This computation is performed securely either by revealing randomized 

7 aggregates to the vendor to enable its own local analysis, or by allowing the vendor to 

8 check data and algorithms into the secure data interchange site for analysis. 

9 (ii) The vendor selects criteria for mailing unsolicited advertisements, and agrees on a 

10 pricing model. In this case per-impression pricing is the most obvious pricing model, 

11 as it is difficult to monitor when a user responds to unsolicited mail per-transaction 

12 pricing is difficult. The user could be motivated to do this should the Secure Data 

13 Interchange promise fiiture returns for recording a successful solicitation with the 

14 database. 

15 (iii)Either the data list is released to the vendor for its use, if this is within the selling 

16 vendor's data policy, or the data interchange sends mailings on behalf of the 

1 7 purchasing vendor. 

18 13,1 .5 Community Dollars and Business Models 

19 The primary objective of the iamworthit model is to create a market for 

20 information about buyers, with agents that submit profile and other personal information 

21 to the database able to collect payment in return for queries executed by vendors. In an 

22 important extension, we can allow this payment to be made in terms of community 

23 dollars, which can only be spent with particular vendors. Community dollars allow a user 

24 that provides profile information to the system of SDI to receive payments that are 

25 dedicated for a particular type of purchase, these payments are called "community 

26 dollars". One central example is to allow a vendor that signs a user into the SDI system to 

27 be able to lock a proportion of payments accrued by that user to the vendor's own 

28 product/service domain. This is important, because vendors now have incentives to bring 

29 new users into the system. A vendor can offer a user community dollars on its (and its 

30 affiliates) web site, in exchange for receiving user data via the SDI data exchange. 
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1 

2 We allow vendors to pay in "community dollars'' for adverts, dollars that can only 

3 be spent at that vendor (with the host site of the advert receiving a share of the profits). This 

4 provides vendors with the ability to gain long-term customers. Furthermore, so long as the 

5 buyer agrees to receive advertising from his/her iamworthit subscription offer, community 

6 dollars can be replenished at the rate at which advertisers are willing to pay for impressions. 

7 This provides buyers with an incentive to spend at the vendor's site, because the vendor can 

8 monitor (pseudonymously) the buyer's that are sensitive to discounts and other special 

9 offers (that are delivered as community dollars). With community dollars a vendor can 

10 compensate buyers for information that they access, but tie that information to certain 

1 1 vendors (e.g. the vendors that first signed the user into the system). The system has the 

1 2 following useful properties : 

13 (1) buyers are incentivized to provide information that allows vendors to push relevant 

1 4 advertisements/products ; 

1 5 (2) buyers will also be more likely to make purchases at a site or a coalition of sites for 

1 6 which they can receive discounts via community dollars; 

1 7 (3) providing buyers with community dollars will increase the number of hits to a site. 

1 8 We allow buyers to receive compensation for providing personal data to vendors, 

19 information that has value to vendors because it allows information to be focused (for 

20 example relevant ads can be displayed to a buyer, based on his/her profile). The system of 

21 iamworthit credits buyers for information, and provides buyers with direct incentives to 

22 reveal profile information to vendors. 

23 A vendor can sign up with iamworthit.com and agree to provide only the most 

24 restrictive type of community dollars, that can be spent at that vendors site. Community 

25 dollars are the currency that vendors provide in return for the right to provide focused 

26 information to buyers. Dollars can be general (e.g. for a network of vendors), or very tightly 

27 focused (e.g. for a particular product, at a particular time). The buyer-centric infomediary 

28 acts as a broker, matching buyers and vendors. Another key role of the infomediary (e.g. the 

29 portal) is to protect the buyer from information saturation by controlling the flow of 

30 solicitations, (i.e. restrict the number of ads. that a buyer sees) 
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1 Community dollars extend the methods in Secure Data Interchange that allow a user 

2 agent to sell controlled access to information to other agents, introducing in addition a 

3 method which can control the ability of a user to spend received payments. For example, a 

4 vendor might be happy to pay a user for the right to display a targeted advertisement if the 

5 payment represents a discount that can only be used against products offered by that vendor. 

6 Community dollars provide this functionality, allowing dollar payments to be limited to 

7 reimbursement in particular "communities" of vendors and/or other agents. 

8 Community dollars instead are more configurable than traditional currencies, which 

9 by their very nature are transferable to any agent. In particular community dollars can be 

10 restricted to spending at certain vendors, can also have non-linear values to encourage 

1 1 loyalty from buyers. 

12 The novelty in our description of community dollars in comparison to current 

1 3 methods known in the art for electronic cash is that we allow e-cash to be targeted so that it 

14 can be spent in particular ways, to be smart so that it can accrue value in non-linear ways, 

1 5 and to be transferable only between the pseudonyms that belong to the same agent. 

16 13.1.5.1 Simple Business Models 

1 7 A vendor that allows community dollars to be spent does not need to implement a 

1 8 special community dollars/discounts program. The buyer can also be issued a special debit 

19 account dedicated to community dollars, that permits pseudonymous transactions without 

20 revealing a buyer's portfolio of pseudonyms. 

21 A portal site that hosts advertisers and buyers that subscribe to iamworthit can 

22 mandate that all community dollars are to be spent at sites that advertise on the portal site, 

23 and also only when the sites are accessed via the portal site. This technique will increase 

24 portal traffic. Portals can be expected to compete in terms of: (a) the fraction of advertising 

25 revenue that is turned over to buyers, in retum for receiving profile information from buyers; 

26 (b) the level of advertising that buyers are exposed to; © the nature of the community dollars 

27 "package", i.e. what vendors can the dollars be used at etc. This can be useful to attract 

28 niche customers, that have common outlooks, interests, and business needs. The primary 

29 goal of the portal is to drive traffic through the portal. 
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1 The main mode of the community dollars advertising model allows vendors to 

2 advertise for free, but provide community dollars to buyers, that can be spent at some later 

3 time. The cost of advertising can be linked to the success of advertising. Moreover, the 

4 vendor can direct offers and adverts to particular user profiles. The hosting web page 

5 receives a share of the vendor's revenue that comes from transactions involving community 

6 dollars. The dollars can represent "stored value", such as bonus points, that can be applied to 

7 special discounts for offers which are delivered via digital coupons and/or as "straight 

8 value" which could be converted directly to purchases thus are equivalent to real dollars at 

9 the point of transaction. 

10 The community dollars can be "credits" that can be redeemed as real cash, credits 

1 1 towards discounts, and can be spent across a suite of sites, or limited to one site. The co- 

1 2 pending patent application entitled "System for the Automatic Determination of Customized 

13 Prices and Promotions" [ INSERT THE PATENT NO U.S. Patent App. 1Q/262J23 t1 

14 describes a comprehensive scheme which may be implemented in either on-line or off-line 

1 5 commerce environments. The system enables vendors to deliver a digital message in the 

1 6 form of a promise to a buyer (typically on encrypted form for purposes of targeting a buyer 

17 specifically). This promise is typically a discount for a product, set of products (or all 

1 8 products in stock) or may even include entitlement to special privileges for that buyer, thus 

19 it is termed a "digital coupon". The community dollars can represent special discounts for a 

20 buyer. 

21 The buyer receives a financial incentive for receiving well-targeted solicitations, 

22 while preserving buyer privacy within the SDI system. The vendors support the conmiunity 

23 dollars through advertising revenues and increased sales volume. We can also provide the 

24 vendor through which the buyer first subscribes a special "first screen" right that allows the 

25 vendor to provide a buyer with his/her first impression as soon as s/he logs on. 

26 Of course many variations of the community dollars scheme are conceivable and the 

27 current description is in no way intended to limit the scope of the claimed invention. For 

28 example, the ad revenues generated may instead be apportioned between direct payment 

29 which the buyer receives, in real cash, community dollars which the vendor (or ISP) credits 

30 the buyer and/or direct payment which the vendor (or ISP) receives as well as iamworthit or 
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1 any combination of the above such as exclusively direct payment which is apportioned 

2 between the buyer and the vendor (in the absence of the community dollars scheme). 

3 In one variation all community dollars collected by a buyer must be spent back at the 

4 vendor site at which they originally subscribed (and also the site that hosts the adverts of 

5 other vendors). A buyer can spend the dollars with any vendors that are site partners of the 

6 original site. This provides the vendor an incentive to accept and promote the community 

7 dollars concept. 

8 The value of providing a buyer with targeted solicitations is estimated at 

9 approximately $300 to $500 per year (based upon $120 per 1000 targeted impressions at 

10 approximately 25 impressions per day). Given these significant benefits, a vendor can 

1 1 provide a buyer with a significant discount (in the form of community dollars). Vendors 

12 benefit fi*om increased sales volumes. When the price of items is less than the value of 

13 dollars, the vendor can limit the amount of discount that is available on any single product, 

14 or only allow community dollars to be applied towards customer discounts (which may 

1 5 nevertheless be quite substantial). 

16 13^1 .5.2 Jmplementation Details 

1 7 We can use meta-tags to restrict the way that community dollars can be spent. The 

18 tag associates the dollar, but the dollar is released within the system of blinded signatures 

19 [Chaum 85; Chaum 92] so that a buyer that collects dollars over many transactions with 

20 different vendors can spend the dollars without compromising his/her private information 

21 about pseudonyms. Dollars can be restricted to a number of vendors, and also restricted in 

22 additional ways — i.e. they can only be sent if the buyer visits the site through a particular 

23 portal, cannot be redeemed at a competitor, are worth a bonus if redeemed with certain 

24 vendors, etc. 

25 The technology used to implement community dollars is based on cryptographic 

26 techniques known in the art, for example within a digital signature scheme for electronic- 

27 cash as described in the work of Chaum [Chaum 85; Chaum 92]. The core fiinctionality 

28 which must be supported by any system for community dollars within SDI is: 
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1 a) An agent can receive community dollars under multiple pseudonyms but spend 

2 the dollars under the same pseudonym. The dollars must not allow an adversary to 

3 link the pseudonyms and break a user's identity. 

4 b) Community dollars can be restricted to be spent with certain vendors and for 

5 particular products/services. 

6 c) Community dollars can accrue (and lose) value in non-linear ways. 
7 

8 The function of (b) can be supported within a system of electronic coupons, based 

9 on cryptography, as disclosed by Tygar et. al. [Tygar 98]. Alternatively, we can extend 

10 Chaum's [Chaum 85; Chaum 92] technique of blinded signatures to allow dollars to be 

1 1 signed with the private key of a certifying agency, where the key is the private pair of a 

1 2 public key which indicates the ways in which the dollars can be spent. 

13 The use of blinded signatures ensures that at the point of validation of cash, where a 



14 stream of random bits is signed by the "bank" to validate its value and restrict its use, the 

1 5 bank is blinded as to the identity of the bits, so that no-one other than the agent that creates 

16 the bit stream can trace the cash. This allows community dollars to be transferred between 

1 7 multiple pseudonyms of the same agent without being used- to break an agent's identity. A 

18 vendor will accept community dollars as part-payment so long as the digital signatures 

1 9 indicate that the dollars are valid for the purchase. An extension to the scheme presents 

20 duplication, with real-time verification of tokens. The vendor can finally exchange the 



2 1 dollars for "regular" cash via an electronic bank that accepts community dollars (debiting an 

22 associated account). 

23 , We suggest an electronic wallet application to allow users to store tokens locally, 

24 and then transfer them securely between pseudonyms. The electronic wallet can be 

25 implemented in a client-side SDI proxy, or within the central SDI data warehouse, within 

26 the eBank module. The invention draws on techniques described in D. Chaum [Chaum 88; 

27 Chaum 92], where the use of a secure chip in "smart card" technology prevents the 

28 tampering and duplication of e-cash. 

29 The solution proposed is that all e-cash must be signed not only with the private key 

30 of a vendor, but also with the private key that corresponds to a particular pseudonym within 

3 1 SDL This is illustrated in Figure 16. 



Page 203 of 381 



SUBSTITUTE SPECIFICATION 



1 Effectively cash becomes a one-to-one mechanism for payment, tied to future 

2 transactions between a user under a particular pseudonym and a particular vendor, for a 

3 particular purpose. The eBank allows a user to transfer cash across pseudonyms via the 

4 client-side SDI proxy which maintains the user's profile identifiers. 

5 We support a dollar transfer command, of the forai TRANSFER_(PID_1, PID_2, 

6 amount) where PID l and PID_2 are the public keys to identify two pseudonyms owned by 

7 the same agent. Before executing such a transaction the eBank requires that the requestor 

8 answers challenges for both identities, for example signing random messages with the 

9 corresponding private keys. This proves that the requesting agent has authority for both 

1 0 pseudonyms. Finally, we need to be sure that the pseudonyms belong to the same subscriber 

1 1 to SDI, which is possible via the one-way identity look-up functionality of tiie central SDI 

12 data warehouse. The eBank can query the look-up table, and check that both PIDs 

1 3 correspond to the same UUID. 

14 For example, an amount of dollars below a certain threshold can be programmed to 

1 5 have no value, but additional dollars can have increasing marginal value. This provide a 

1 6 non-linear incentive for a user to stay with the same vendor in a market with low switching 

1 7 costs, or a non-linear incentive for a user to receive adverts fi^om the same advertising agent. 

1 8 The advantages to vendors and advertisers are repeat purchases, consumer lock-in, and also 

1 9 improved profiling fi*om interacting with the same agent over extended periods of time. 

20 The functionality is embedded into the community dollars. The fi"amework expands 

21 the idea presented in Chaum [Chaum 85; Chaum 92] where the public key of a public key 

22 /private key pair indicates the dollar value of a community dollar. In this case, we allow any 

23 number of public-key/private-key pairs, and use the public key as an index into a table 

24 maintained within the eBank to provide additional criteria about how the cash can be 

25 redeemed, for example it has more value if used in combination with other community 

26 dollars, it decays over time fi-om data YYATV'/YY, etc... We do not intend to limit the 

27 variations possible, but provide this as a framework for ways in which constraints and 

28 conditions on community dollars can be extended. For example, community dollars can also 

29 be programmed to lose value over time. This can increase the number of repeat purchases 

30 In the preferred implementation we use an "electronic cash" infi-astructure for the 

31 community dollar system. A buyer's SDI-enabled client-level proxy stores dollars that the 
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1 buyer receives securely. Dollars are anonymous and non-traceable, so that the buyer can 

2 maintain a single "bank" of dollars, and aggregate dollars collected across pseudonyms for a 

3 single purchase, so long as the purchase satisfies the constraints on the dollars. Each dollar is 

4 created using Chaum's blinded signature technique, and also signed with the conditions on 

5 its use. 

6 This scheme allows vendors to monitor the offers that buyers respond to, because 

7 when a buyer presents a community dollar — the dollar can be validated to indicate the type 

8 of discount that it is, even if the identity of the dollar (i.e. the serial number) is untraceable. 

9 SDI provides vendors with guarantees that buyers have once-in-a-lifetime pseudonyms, so 

1 0 redeeming a voucher of a particular type that is redeemable only at vendor V and was issued 

11 by vendor V allows vendor V to be sure that the voucher was issued under the same 

1 2 pseudonym, and has not been transferred to another of the buyer's pseudonyms. 

13 In an alternative architecture, the ISP-level SDI proxy, or the web-host for the 

14 advertising service, can maintain community dollar "debit" accounts for each buyer. This is 

15 more limited, because it does not allow buyers to transfer dollars between pseudonyms 

16 without compromising privacy (revealing a portfolio of pseudonyms). However, in a 

1 7 scheme where advertisers require that agents have once-in-a-lifetime pseudonyms, and only 

1 8 release community dollars to be redeemed at their own site, this is not limiting. Both of 

1 9 these approaches are useful for "community dollar-enabling" numerous or all sites. 



20 13^1 .5,3, Example Community Dollar Applications 



21 



o On-line Gaming site. 



22 



29 



28 



27 



30 



26 



24 



25 



23 



Consider an on-line gaming site that has a network of affiliated vendors, that do not 
pay to advertise, but provide community dollars that can be spent either at the 
vendors — or at the casino. When buyers lose money at the casino the casino receives 
real dollars from vendors. The casino is one possible outlet for spending dollars — and 
a vendor only pays the casino (the host of its ads) if a buyer chooses to gamble on the 
site, and loses its dollars. The gaming site becomes a portal, with links to partner 
vendors. Each vendor offers the buyer community dollars, that can only be spent 
back at that site or at the casino. However, the number of dollars which can be spent 
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1 at the store is substantially less than the number of community dollars which can be 

2 spent at the casino. IF the buyer accepts the credits, whenever the buyer accesses the 

3 URL to the store he/she is either automatically routed first to the casino portal or to 

4 the vendor site whereby a prominent banner is displayed which is displayed to that 

5 particular buyer fi:-om which the buyer can conveniently engage in a casino gaming 

6 session. 
7 

8 If the buyer loses a substantial amount of community dollars he/she may regain the 

9 lost credits by spending a specified amount (in real dollars) at a partner vendor. This 

10 provides a safety-net for buyers. The cost to the vendor is the cost of the dollars that 

1 1 the buyer lost at the casino, and the cost of replenishing the buyer's community 

1 2 dollars (which can be used for fiirther gambling). However, the vendor makes a 

13 sale — so the vendor is happy so long as the dollar value is a reasonable discount for 

14 the sale. Clearly, the casino gains substantially through the redemption of these 

1 5 community dollars. The vendors can make an agreement with the casino where they 

1 6 only compensate a fi:'action of community dollars. A percentage of a buyer's profits 

17 at a casino are paid in community dollars, another percentage can be paid in real 

1 8 dollars. Perhaps the casino can also provide vendors with a revenue share. 
19 

20 We allow for community dollars that are restricted to particular products, and 

21 customized for an individual buyer. The dollar-object can contain two parts: the first 

22 part is readable to the buyer, and indicates the nature and the amount of the discounts 

23 to which the credits can be applied. The second part of the message is encrypted, and 

24 accessible only to the vendor, and is signed by the vendor to prevent any form of 

25 alteration. The information can contain the dollar credit to the buyer, the terms and 

26 conditions of the community dollars, a dollar amount, the pseudonym ID of the buyer, 

27 an expiration date, the terms and conditions of discounts and special offers to which 

28 community dollars may be applied in combination with a partial cash transaction. 
29 

30 The vendor must check that it has not previously redeemed any piece of community 

3 1 currency with the same identifier; the identity of the buyer is correct; the date; the 
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1 terms and conditions. Some vendors may allow redemption of the community dollars 

2 at other vendors' sites. 
3 

4 o Web-hosting Application. 

5 One of the commercial applications of which community dollars may be used is in 

6 offering web sites free web development services and/or free web hosting services. In 

7 the former case a Web development tool provider could share in the community dollars 

8 revenue stream from iamworthit ad revenues, and accordingly cover the costs of the tool 

9 suite. Whenever new upgrades including new development modules are added, the 

10 costs could be covered by an incremental increase in the percentage of advertiser 

1 1 transactions. There is considerable economic pressure on web tool providers to provide 

12 competitive solutions which are not only rapidly deployable but also extremely robust 

13 (typically bundling some form of personalization technology), thus as a result of 

14 economic pressure to drive advertising and e-commerce transactions through the site 

1 5 (often through the use of a revenue sharing model which can reduce upfront costs to the 

16 vendor substantially), iamworthit through its customer loyalty enhancement capability 

17 provided by community dollars can significantly improve the effectiveness of 

18 personalization at the site (perhaps more significantly than cookies which often are 

1 9 blocked and all typically not implemented so as to be recognizable across the collection 

20 of sites which the tool provider supplies or the web host services). 
21 

22 It is believed that the revenue sharing model may be structured to cover both the cost of 

23 the tools, web development services as well as web hosting (thus unless he himself 

24 offers a complete tum key suite of solutions and services a tool provider which 

25 integrated the community dollars concept could be in an extremely competitively 

26 advantageous position in attracting strategic relationships with Web developers and Web 

27 hosts. The tool provider may for example sell an ad server module or could 

28 "automatically subscribe" the user with an opt-out option. The very fact that all of the 

29 tool , Web development or hosting provider's sites are exempt from ad blocking/ad 

30 replacement technology (barring iamworthit competitors) would be a significant 

3 1 motivating factor in incentivizing sites to utilize their services (e.g. through promotional 
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1 programs). An emerging large market for Web development is providing these services 

2 to individual end-users. Completely free services in this regard would likely mobilize 

3 what activity in what is now a dormant, albeit enormous commercial market. For 

4 example, tools for developing elaborate Web-wide community portals could have 

5 customized community links which are matched to the user's personal profile. Visitors 

6 to the site (subscribed to iamworthit) could experience an additional layer of 

7 personalization based upon their own user profiles. 
8 

9 Web hosts may also use an additional feature (optionally to significantly drive increased 

10 traffic through potentially all sites on their network. This optional feature is a set of 

1 1 links (e.g. along the side of the user's screen). These links are used to point the user to 

12 other relevant pages issuing aggregate site usage statistics of their visitors (as described 

13 in the parent patent application) iamworthit, user referral links may additionally 

1 4 personalized based upon their user profiles. 

15 13.1.5,4 ^Vendor coalitions 

16 Vendors may choose to form coalitions, to allow buyers to spend community 



17 dollars at any "partner" site. Vendors that have similar buyer bases can be automatically 

18 identified using collaborative filtering, (i.e. determining similarity with the present 

19 vendor, from the aggregate vendor preferences of a given vendor's subscribers). Also, 

20 these resulting metrics could incorporate predicted online spending by each buyer at each 

21 site. This could help to narrow the selection of sites the vendor wishes to partner with 

22 and/or the selection of these partner sites could be determined and presented to the buyer 

23 to even further narrow the selection for each buyer. All vendors in a coalition advertise, 

24 and provide cross-links and up-links to other vendors. 

25 The coalition model is good for buyers that are more likely to find products that 

26 they want. Vendors can share the risk of advertising, since dollars provided to one buyer 

27 by a particular vendor can be redeemed at another vendor. Advertising and community 

28 dollars increases sales volume at all vendors in the coalition. Furthermore, studies on on- 

29 line buying behavior suggest that on-line shoppers tend to make purchases across a 

30 variety of categories of e-commerce products, thus it is likely that they would also prefer 
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1 the freedom and flexibility which is associated and can be provided in this way only by 

2 deploying a multi-site community dollars scheme. lamworthit usage statistics are very 

3 effective in identifying prospective vendor coalitions which consist of complementary 

4 (non-competitive) vendors. Alternatively, personalized coalitions which can be created in 

5 ad-hoc fashion for each buyer can further serve the buyer's interests by increasing the 

6 freedom and flexibility which the buyer often strongly desires. Though practically this 

7 can only occur for those (perhaps smaller less commercially significant) vendors which 

8 have not been a major coalition consisting of vendors which many buyers tend to use 

9 which collectively serve a substantial percentage of the overall user base. 

10 Thus if the vendors have not established firm partnerships with other vendors, we 

11 can even allow vendors to form dynamic and virtual coalitions within SDI, with a 

12 potentially unique coalition of vendors for each buyer. The coalition may consist of an 

13 optimal pool of vendors, as determined by SDI collaborative filtering techniques. The 

14 goal in this model is to provide buyers with a particular "brand" of community dollars. 

1 5 o Multi-vendor Community Dollar Portal 

16 We can allow each vendor to retain an exclusive right to advertise to each buyer; and 

17 also develop a portal for the coalition — that gives advertising prominence to coalition 

18 members. Portals will be expected to aggressively promote community dollars. 

19 Buyers that collect community dollars become loyal return visitors to the portal and 

20 its associated vendors. In the case the vendors do not generate the same value we can 

21 provide community dollars in proportion to the value that a vendor contributes to a 

22 coalition. 
23 

24 We can also provide targeted advertisements for the vendors at the portal, using the 

25 user profile to focus ads. The categories and links at a portal (that might include a 

26 search engine) can be re-prioritized (highlighted and/or re-ranked) in accordance with 

27 the buyer's preferences (as described above), and to favor subscribing vendors. In 

28 commercial practice, the motivation for vendors to become coalition members is 

29 largely driven by customer partnerships with providers of e-commerce tools and 

30 solutions. There are many emerging trends by which these intermediary tool 

31 providers could conceivably integrate community dollars. Consider loyalty points 
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1 (e.g. www.mvpoints.com ) or loyalty bonuses programs (e.g. www.clickrewards.com) . 

2 These points or bonuses could be substantially subsidized by the advertising and 

3 deeper benefits passed onto the consumer. Other simpler technology which would 

4 compel these vendors to cooperate include shopping basket technology, the emerging 

5 standard, ECML, common Web tool and/or tool development solutions, common 

6 hosting solutions, common ad delivery systems. 
7 

8 Vendors pay the portal site to advertise, and the portal provides community dollars to 

9 buyers in return for privacy-protected profile information. This model does not 

10 provide incentives for the portal to provide well-targeted adverts, because there is no 

1 1 direct link between a portal's revenue stream and the vendors' sales volumes. 
12 

1 3 A portal with community dollars that can only be spent under a single pseudonym at 

14 its partner sites also provides an incentive to buyers to interact under a single 

15 pseudonym — which in tum allows a portal to profile buyers across its complete 

16 vendor partner network. Buyers will access many sites with the same pseudonym. 

17 The system of SDI allows vendors to leverage the shared profile information as 

1 8 buyers browse web pages and products. 

19 We can also lock buyers into a single portal — and a single coalition of vendors — with 

20 community dollars that "decay" over time, and must be continually replenished. In 

21 this way a buyer carmot pick and choose different portals, and different community 

22 dollars, but can benefit mainly fi-om high web-browsing volume through a single 

23 portal. The value to vendors in terms of consumer lock-in can be considerable. 

24 o Affiliate Network. A coalition of vendors can join to allow a buyer unlimited 

25 access over all affiliate vendors. The program can be sold through the existing 

26 marketing channels of each vendor, as well as through a portal directory of sites 

27 for those vendors. Vendors that join can be required to promote the program 

28 through their own marketing channels. Additionally, perhaps vendors are selected 

29 to cover exclusive physical regions (e.g. in the case of a set of ski resorts), or 

30 exclusive product categories (e.g. in the case of on-line vendors). Vendors can 

31 provide a community dollar- for-real dollar exchange, in return for becoming part 
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1 of a vendor network. Alternatively, perhaps vendors provide an up-front fee, 

2 that can be recovered via dollars spent by buyers at their own site. Each vendor 

3 is obligated to sell the partner network community dollars, but is not -necessarily 

4 required to promote the other community dollar vendors. 

5 An affiliate program could be developed by partnering with the affiliate network's 

6 advertising. Typically each advertiser provides a purchasable(s) which affiliate sites 

7 offer for sale on their sites in exchange for a percentage of the resulting sales. In the 

8 community dollars variation, each vendor agrees to tailor an offer for their 

9 products/services on the affiliate network which is subsidized by community dollars 

10 which the user collects after subscribing to iamworthit. An example solicitation 

1 1 could be "receive $100.00 free credit toward future purchases at booksamillion.com 

12 plus $50.00 cash. 

1 3 o Creation of an iamworthit online multi-store retail site. Establish a retail presence 

14 in a (or potentially multiple) retail niches. The primary business model would be 

1 5 to leverage existing large iamworthit subscriber base (involving the other various 

16 types of commercial partners) in order to dedicate a certain percentage of the 

17 community dollars (e.g. thirty percent or approximately one hundred fifty dollars 

18 per customer) which could only be redeemed at that multi-store retail site (and/or 

19 the value of these dollars could be worth more at the retail site). In addifion, in 

20 this model, the independent advertising initiative of iamworthit would be geared 

21 towards community dollar credit of that retail site. It should be noted that, because 

22 if other outside competition occurs to the basic iamworthit scheme to a substantial 

23 degree there will not be a compelling incentive for buyers to adopt a more 

24 restricted form of valve (as retail credits at a particular site), versus accepting the 

25 credit from a competitor in the form of cash. Thus this model could provide a 

26 viable means for attaining a leading position in one or more on-line retail markets 

27 if this competition does not substantially exist. 
28 

29 o Marketing Network. Iamworthit sites which offer a community dollars promotion 

30 could, upon the buyers subscribing to iamworthit, additionally offer the buyer 

3 1 with a down-loadable client based software which provides a small promotion in 
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1 conjunction with a link to iamworthit. Each time a recipient of the email 

2 subscribes to iamworthit, a percentage of the value of that customer is credited 

3 back to the buyer in the form of community dollars. Each subscriber resulting 

4 from the current subscriber's email (though reduced) provides an additional credit 

5 to the original subscriber in accordance with the marketing network business 

6 model. If the site originally delivering the promotion is not an e-commerce site, 

7 a percentage of advertising revenues resulting from the subscriber (and potentially 

8 all resulting subscribers) could be used. It could be applied in the form of 

9 iamworthit advertising (or exchanged) for advertising in an ad -server. 
10 

1 1 o Free Web hosting. _A portion of community dollars may be allocated in a revenue 

1 2 sharing arrangement between the buyer and the web-site from which subscriptions 

1 3 to the service are provided, thus enabling Web hosts to offer free hosting services 

14 while also receiving full payment which is iamworthit advertising supported. 

1 5 Iamworthit could also easily use its vast statistical data collected form each site in 

16 the hosting network in order to predict which sites tend to be most commonly 

1 7 linked to from the present site (and/or share "similar contenf ). This technique is 

18 described in the parent patent application by establishing these links users can 

19 better access relevant information-. In one preferred variation, all non- customer's 

20 sites are not included in the referral links. This level of targeting is likely to drive 

21 significant traffic through the Web hosts' network (and even more so if 

22 iamworthit user profiles are transferred to the site upon visitation of an iamworthit 

23 subscriber as these similar cross-links can also be personalized to the user. 

24 13.1 .5,5 Jransaction-based Revenue-sharing 

25 In transaction-based revenue sharing, the only time that advertisers pay to provide 

26 an impression to a user is when a sale results, in this case the hosting site receives a cut of 

27 the final transaction price. The vendors provide buyers with community dollars directly. 

28 The dollars, which are stored at the portal site, allow buyer-spending to be tracked. This 

29 allows the portal to monitor when a sale occurs, not just a hit on a banner ad. With 

30 transaction-based revenue of this kind, personalization is critical. In this model the portal 
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1 with give prominence to adverts from successful sites. A portal site may forgo payment 

2 from a vendor in exchange for the increased click-through from a strong network of 

3 community-dollar enabled vendors. Value is credited directly to buyers for future 

4 redemption at that particular vendor's site. The community dollars provided to a buyer 

5 can be restricted, -such that a buyer can only redeem dollars if s/he maintains enough 

6 visits to the portal site. 

7 Vendors can offer discounts on their own products directly, instead of providing 

8 the portal with money for advertising. The vendor only pays to the extent that its 

9 advertisements are well-targeted. The vendor could also request special ad priority. A 

10 vendor that presents advertisements to a buyer offers the buyer discounted promotional 

1 1 offers for products offered by partner vendors, in exchange for subscribing to iamworthit 

12 and receiving targeted impressions. These offers are in lieu of community dollars, and 

13 can be provided by partner vendors — maybe in exchange for a right to a number of ad 

14 deliveries for the vendor's own advertising purposes. 

1 5 We can also require that buyers are automatically routed through a portal when 

16 accessing any partner vendor directly. The portal (and therefore the coalition of vendors) 

1 7 then receives exposure each time the buyer clicks on an ad (or link) to that vendor. The 

18 portal may also provide benefits (e.g. additional advertising prominence) for sites which 

19 are responsible for driving traffic through the portal. Community dollars can be provided 

20 whenever the buyer accesses a site from the portal. Portals can offer free advertising to e- 

21 commerce sites (forgoing advertising fees). The portal provides discounts to buyers that 

22 purchase a product following a link provided at the portal. 

23 A buyer receives the discount by validating a purchase with the portal, and the 

24 site agrees to provide the portal with a share of revenue whenever the buyer cashes in 

25 community dollars in this way (we do not rely on HTTP refer mechanism because that 

26 can be blocked and falsified. Furthermore, we do not rely on URL+extension 

27 correspondences, also not secure — instead rely on providing buyer's with incentives, and 

28 monitoring buyers that have earned community dollars.) 
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1 13.1 .5.6 ^Delivering per-impression dollars 

2 We can deliver community dollars on a per-impression basis, with vendors 

3 competing to offer buyers high values for being able to present an advert. The existing 

4 collaborative-filtering engine at a buyer's SDI client-level proxy can filter ads, and select 

5 appropriate offers, using community dollars as just another measure of the usefiilness of a 

6 message. This is an alternative to providing dollars on a one-off (or even yearly) basis, 

7 for consumption via the vendor's site that the buyer subscribes to the service. 

8 A hosting site can take a fi-acfion of any dollars provided to a buyer. Alternatively, 

9 a site can convert the value into the community dollars to provide to the buyer, possibly 

10 at a preferable basis. The portal might also wish to convert its commission to credits for 

1 1 the buyer at any one of its partner vendors, with the stipulation that the buyer must access 

1 2 those sites via the portal in order to be able to redeem the credits. 

13 13,1 .5.7 Providing Loyalty Bonuses 

14 We can use the client-side SDI proxy to provide vendors with "loyalty guarantees", 

1 5 that are credentials to verify that the buyer has executed no transactions with any competitor, 

1 6 under any of its pseudonyms. The client-side SDI proxy is in a unique position to be able to 

17 implement this monitoring, because no other system knows a buyer's portfolio of 

1 8 pseudonyms. The buyer can present its digital credential when visiting a vendor's site. 

19 A vendor may wish to provide loyalty dollar credit; for example, it would be 

20 possible for vendors to offer buyer's credits if the buyer is a 100% loyal customer i.e. that 

21 she/he did not (over a specified period) do his/her purchases at the site of any competitor. 

22 For example, certain types of high value customers could be given considerable value in the 

23 form of credits or discounts as a result of demonstrated vendor loyalty. The credential can be 

24 time-stamped, to prove loyalty. It does not reveal any information about the buyer's other 

25 pseudonyms to a vendor, because many pseudonyms will exist that have not made any 

26 purchases fi-om a competitor. Upon accessing tiie vendor's site, this credential may be 

27 presented to the vendor. One criteria for the above benefits could be that the buyer may visit 

28 a competitor site, and engage in interactions; however s/he should not transact with that 

29 vendor. 
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1 13,1 .6 Alternative Business Models 

2 

3 o Offer discounted or free services in return for the right to access profile 

4 information. 
5 

6 Examples: Free or discounted retail products with "niche" partners in each category; 

7 Free dial-up ISP (as an independent ISP or a service to jointly promote free access 

8 with ISPs); Free Cable and ISP service, Free pay-per-view (note that viewing patterns 

9 and the associated content could provide additional valuable user profile 

10 information); Free phone service (e.g. advertise subscription service on screen phones 

11 or audio ads from pay phones); Free prepaid calling card; Free print media 

12 subscriptions (magazines, newspapers); Free book clubs; Offer any combination of 

13 the above with "deep discounts" for each (this can involve $350 community dollars 

14 per buyer or it may simply involve certain purchasing limitations per customer). 

1 5 Each vertical niche partner in exchange gets exclusivity within their own respective 

16 niches to target advertise to those buyers (e.g. retailers); Free access to sporting 

17 events; Free credit for casinos; Free lottery tickets; Free charity donations; 

18 Discounted hotel lodging; Monetary credit to a credit or debit card (either an 

19 iamworthit branded card or provided as a partnership with the card companies; 

20 Monetary credit to a diner's club; Free subscriptions plus credit to retail buyer's clubs 

21 (on-line or off-line); Credit or discounts for book clubs; Free musical concerts, or 

22 theater presentations, movies or access to arcade entertainment; Free access to 

23 amusement parts or theme parks; Free golf season passes; Free commission fees for 

24 stock trading; Free commission fees for travel booking (if implemented for on-line 

25 buyers would be less compelled to search for travel information on-line though go 

26 off-line to make their bookings). 
27 

28 o Allow the ISP to promote free Internet access through personalized advertising on 

29 iamworthit, 
30 
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1 The ad server can even recognize through the associated domain names, the buyers 

2 which are coming from a competitor ISP. So long as that ISP is not a partner of 

3 iamworthit, the associated buyer would be selectively targeted with an offer of this 

4 sort "free Internet access" by subscribing to iamworthit". Smaller ISP's would be 

5 particularly compelled by such offers to their direct target prospects. This is because 

6 they are operating on a "thin margin". Furthermore, both they and their small 

7 regional counterparts would be particularly vulnerable to this type of advertising by 

8 regional competitors from the same geographical area, during specified period of 

9 months of initial usage of the service, the share of profit due iamworthit could instead 

10 be committed to purchase additional advertising for the Internet service provider (or 

1 1 the balance of this profit traded-out in the form of additional advertising through the 

12 ad server partner). 
13 

14 The ad server partner could ftirther become an exclusive partner of iamworthit on the 

15 following commercial venture: Relationships as established with on-line merchants 

16 and other e-commerce sites. The vendor actively promote an offer to their customers 

17 through both off-line media (using a URL unique to that vendor) and on-line 

18 advertising through the ad delivery partner. The offer may say (as an 

1 9 example),"receive three hundred dollars in purchasing credit at Books a Million in 

20 exchange for subscribing to iamworthit (or receive five hundred dollars worth of 

21 discount credits at Books a Million^ In addition, as a further benefit to the vendor 

22 iamworthit could trade its own advertising impressions with impressions on the ad 

23 server for the current offer (in order to reach a different base of buyers which are not 

24 currently subscribed). A particularly compelling industry for this application is on 

25 line travel inasmuch as a plaguing problem to this industry is the fact that many 

26 buyers use travel sites as an informational resource on available travel deals and 

27 packages, but ultimately book their trips directly through a travel agent (thus cutting 

28 out the travel site). A three hundred dollar a year travel credit would be a compelling 

29 incentive to many buyers to modify their current travel booking habits. Affiliate 

30 networks are also an ideal channel for these types of promotions because affiliate 

3 1 sites agree to participate (typically) purely based upon the degree of the profit sharing 
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1 opportunity (which would be significantly larger than most types of transaction - 

2 based affiliate advertising). 
3 

4 Alternatively, it would be possible to offer websites the ability to become Internet 

5 service providers where the interface to the ISP home page would essentially be 

6 heavily branded to that site or portal. Companies like GTE already offer a "Virtual 

7 ISP" service in which the content to the ISP home page is unique to the ISP while the 

8 network is provided by the virtual ISP service. This model would be particularly 

9 compelling for sites which are largely community oriented and have a potentially 

10 loyal customer base. Moreover, interestingly, many of these community sites are 

1 1 offering many of the services and capabilities that a full-blown ISP would offer from 

12 its home-page, e. g., a portal interface, links to high-quality content, chat/forums, e- 

1 3 commerce, commerce affiliate links, etc. 
14 

1 5 o Free Community-based Content. 
16 

17 Create premium content which is free to iamworthit subscribers, subsidized by 

18 revenue from profile information. Each iamworthit buyer would be granted free 

19 access privileges to the premium content on all sites which are part of the program. 

20 Some content may be purchased and/or reusable, other may be entirely site-specific 

21 and novel. This model would be particularly appropriate for community sites which 

22 are largely member-based (or for example ISP-member-based communities) where 

23 much of their value to members is based upon information and other content which it 

24 can provide. It is conceivable that all iamworthit-enabled community sites would 

25 enable free access to their content by all other iamworthit customers (though it is 

26 possible that they may be mutually restricted if members of competitor communities 

27 as desired by the community site). If an ISP service is not already provided, a virtual 

28 ISP service could additionally be offered at a substantially reduced price or possible 

29 free. One could imagine fiirther extending this present network of free content to free 

30 content iamworthit subscribers for free access to fee-based television programming or 

3 1 VOD services. In as much as community sites and television channels are becoming 
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1 different media for delivery of the same information as the number of channels 

2 increases, VOD becomes technically enabled, and, most imminently, full motion 

3 video can be delivered upon demand over the Web. 
4 

5 o Free Access To Subscription and Fee-for-use Information of the Web. 
6 

7 In addition to the aforementioned free community site content, it would be possible to 

8 further provide free and automatic access to fee-based information on the Web. 

9 These costs may be able to be covered by the model across all or most sites 

10 depending upon the usage characteristics of its buyers (e.g. assuming 

11 advertiser/community dollars payment to the sites are averaged across buyers in 

12 accordance with the consumption patterns of the average iamworthit buyer). The 

1 3 identity (pseudonymous) of the buyer would have to either be disclosed to the site via 

14 the proxy or a unique pass code (as required by the site) provided to the buyer could 

1 5 be automatically entered upon the buyer accessing the fee for use area requiring the 

16 code. A directory (portal) of these fee-based sites would be a useful adjunct to 

17 subscribers. 
18 

1 9 o Bundling iamworthit links with hardware with a PC manufacturer. 
20 

21 Many PC manufacturers are now recognizing e-commerce as a very important sales 

22 channel. The present model would involve the P.C. manufacturer bundling a link 

23 along with a promotion for iamworthit. The promotion would offer the buyer cash 

24 credit for the buyer. The PC manufacturer would also receive exclusive advertising 

25 rights to target buyers whose browsing behavior profile qualifies them as a future 

26 sales prospect. E.g., instead of cash credit as the profile is idenfified, the offer could 

27 then become modified to offer free hardware or credit to their purchase. Because PCs 

28 are highly portable, the advertising targeting techniques described in LEIA could add 

29 substantial additional value to advertisers. A similar model could be used for 

30 manufacturers of PDAs. 
31 
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1 o Allow matchmaking of buyers based on profiles across a network of 

2 iamworthit/community-doUar sites. 
3 

4 A menu of different forums and chats can be displayed on each iamworthit member 

5 site, (the underlying methodology for which is described in co-pending patent 

6 application "Virtual Community Service for System for Customized Electronic 

7 Identification of Desirable Objects"). In accordance with this specification, a 

8 variation of the service involves the process for identifying individuals who most 

9 closely match a given category or target object. For example in the context of the 

10 present implementation a category or content, merchandise or a purchasable being 

1 1 specially promoted may be the focal point of a discussion forum or chat room, which 

12 is automatically organized by the Virtual Community agent. Accordingly, a portal (or 

13 in accordance with the present trend) a site with which a portal interface is integrated 

14 utilize the present techniques for- generating virtual communities for each category or 

1 5 sub-category of content on the portal or for direct access into a forum or chat room 

16 which was automatically created around that particular site (as the target object used 

17 as the matching criterion). As described, the user may navigate a hierarchical menu 

18 of virtual communities which may be constructed automatically according to the 

19 methods described which involves communities assigned to category, sub-category, 

20 and association with corresponding sites. Ideally in this scheme the portal is actually a 

21 "virtual portal" which may be utilized in providing access to the communities across 

22 numerous sites (and/or ISP home-pages). Users may also be navigated (at the 

23 individual user level) which along with their pseudonymous user profile data is 

24 subject to their data release policies. In a variation of the above schemes, if there is 

25 geographical information which is associated and which is released in accordance 

26 with the above individuals and/pr communities (e.g., as may be occurring or 

27 scheduled to occur in physical space), LEIA may be employed as a primary (or 

28 additional) selection criteria for navigating the present information accordingly. 
29 

30 o Advertising in Exchange for Equity. 
31 
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1 A potentially attractive optional form of value, which could be provided to 

2 iamw^orthit customers involves equity shares in companies which advertise to the 

3 buyer (in lieu of community dollar credit or cash). This scheme is an ideal 

4 application for iamworthit in as much as iamworthit customers can be highly targeted 

5 and because many Internet-based start-ups are highly niche community oriented (thus 

6 iamworthit customers who are interested in the sites can be efficiently identified and 

7 targeted). Moreover advertising is typically very expensive which in the absence of 

8 accurate targeting may be of questionable value. It should be noted, however, that 

9 because the primary objective is to both find viable prospects and to engender an 

10 element of loyalty (which the equity model does). This scheme would be the 

1 1 preferred approach to advertising for sites which do not sell on-line where community 

1 2 dollars would be the preferred loyalty engendering scheme. In order for this model to 

13 substantially provide its desired advantages of increased advertising exposure to 

14 fledgling web based companies, the iamworthit subscriber base would have to be 

1 5 quite substantial. 
16 

1 7 o Loyalty credits for off line retailers. 
18 

1 9 Deliver through the back of sales receipts, kiosks or direct mail or on-line substantial 

20 purchase credit to retailers (e.g. grocers') customers, using the aforementioned 

21 technique of utilizing a unique URL to identify the vendor and/or promotion from 

22 which an iamworthit subscriber originally accessed the iamworthit subscription site 

23 (thus identifying for both buyer and vendor the appropriate denomination and/or 

24 terms of community dollars issued to the buyer). In the preferred implementation, a 

25 loyalty card is used to identify the buyer thus enabling the community dollars value to 

26 be provided to the customer at check-out as straight credit or possibly an 

27 enhancement to loyalty credit. The buyer may also be identified via credit card or 

28 alternatively a voucher (or coupon) could be printed from the buyer's computer or 

29 from a kiosk which is typically situated near the entrance to the store and which could 

30 be activated upon insertion of a loyalty card credit card (or associated authorization 

31 code) and could also be used to disclose the buyer's community credit balance. A 
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1 unique identifier for that voucher or coupon is provided and non-tamperability 

2 measures are provided such that the buyer's community dollars account can be 

3 appropriately debited upon redemption. Preferably, a pre-determined value is 

4 specified on each voucher (which could be predetermined by the service or the buyer) 

5 or alternatively, the total community dollars balance could be specified on the 

6 voucher along with the buyer's name/address and redeemable only upon presentation 

7 of valid buyer ID. 
8 

9 o Free ASP Services - Web-centric applications are becoming an increasing central 

10 part of the e-business infrastructure. iamworthit could potentially enable 

1 1 organizations to gain free access to these Web-centric applications in exchange 

12 for iamworthit enabling their employees and customers (e.g. which may use some 

1 3 of these applications as well). 
14 

15 o Credit to a User's Credit Card - Many credit cards are tailoring promotions to 

16 enhance not only acquisition of market share but also loyalty of its users. The 

17 user-centric SDI provides an enhanced (e.g. rebates for expenditures) platform 

1 8 which could provide more efficacious loyalty enhancement marketing strategies 

19 for card issuers. For example, a credit card user could be given certain credit 

20 towards the card (e.g. via a promotional offer) for becoming an iamworthit 

21 subscriber (which is largely ad revenue supported). An additional novel 

22 application could involve providing an offer for an additional benefit which could 

23 be provided if the user performs all of his/her on-line transactions using the 

24 present credit and (i.e. wherever the card is accepted). 
25 

26 An iamworthit pseudonymous credit card [e.g. LMP 94] could be provided whereby 

27 users collect credit for advertising (e. g., on billing statements for the ad) which the 

28 user receives as well as the advertising delivered via iamworthit's on-line (Web or 

29 targeted email) as well as pseudonymous physical mail, telemarketing calls using user 

30 profile pseudonyms and one all time or pseudonymous phone numbers. This user 

3 1 profile data consists in part of off-line data and on-line data. 
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1 

2 o Free Personal Portal for Individuals. 

3 

4 It is reasonable to offer individuals completely free, Web design/development and 

5 hosting services which are offered and mass marketed. At the time this patent was 

6 written, Web developers were offering such free services in exchange for revenue 

7 sharing for advertising product syndication or e-commerce offering on the 

8 individual's site. lamworthit could conceivably be deployed in conjunction with this 

9 commercial model whereby either a portion of the user's own iamworthit profiles are 

10 used to subsidize (or subsidize in part) the portal and the developer and/or revenues 

1 1 shared from profits from iamworthit subscribers who subscribed from the portal are 

12 utilized also (or instead). As such, it is also reasonable for such a developer to 

13 provide links on affiliate sites (e.g. access an affiliate network) which offers free 

14 individual portals in exchange for subscribing to iamworthit (and perhaps agreeing to 

15 offer a similar iamworthit expectation from that portal as well from which the user 

16 can also share in a portion of the revenue stream. Such a program could even be 

17 structured in its revenue distribution to the subscribers as a multi-level marketing 

1 8 network. Users could even receive value for providing links to the vendors site either 

19 both (e.g. as "cob- shopping portal) - direct off-line 

20 encounters in the other users as prospective customers to the URL. (where the URL is 

2 1 unique for each individual. 
22 

23 o Multi-level Marketing Network. 
24 

25 This economic model for distribution of shared revenues from iamworthit may be 

26 implemented several ways. For example, as above suggested, the user's Web portal 

27 offering solicitations for iamworthit (as a standard offering or in combination with a 

28 free personal portal), could be implemented in a number of different ways, such as ; 

29 a). The solicitation is presented upon the user's Web portal, b). -The solicitation is 

30 made through the traditional sales channel of direct one-o-one correspondence with 
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1 friends or associates. cG). -The solicitation is attached to any email messages of the 

2 user such solicitation provides a link to enable the user to subscribe. 
3 

4 13,1 .6.1 _Agent-Mediated Value Exchange in the Supply-Chain 

5 The information in the SDI data warehouse can allow vendors to identify business 

6 relationships between other vendors, for example between vendors and their suppliers, 

7 and between vendors and their customers. With this information a vendor might attempt 

8 to exert pressure on another vendor by making direct offers and incentives to their 

9 suppliers and/or their customers. Of course, in all cases information is only available 

10 subject to price and disclosure policies, but with there being at least two parties in any 

1 1 deal no vendor can unilaterally prevent this kind of information from reaching the SDI 

1 2 enabled data market place. 

13 Information may include the benefits/disincentives associated with particular 

14 actions, and help to identify actionable events. Agents might offer other vendors a share 

15 in some future profits that result from taking a particular action, so that little up-front 

16 collateral is required. The information in the data market can be used to estimate the 

1 7 value of this share, for example, based on information about expected trade volumes from 

18 projected market share. 

19 In a variation, SDI may also assume the task of negotiating on behalf of each entity 

20 involved. This is useful when information is sensitive and/or confidential, SDI can allow 

21 negotiation without identification until a deal is struck. In this section we describe an 

22 application of SDI to an agent-based economic infrastructure in which value exchange is 

23 used to create "efficient supply chains and contracts". 

24 It is critical within this system that agents can specify quite elaborate privacy 

25 policies, so that they can submit sensitive information to the SDI data warehouse but be sure 

26 that the information will not be revealed to competitors. One consequence is that SDI will 

27 compute efficient supply-chain structures based on the information provided by agents, but 

28 be able to report a good set of contracts without providing complete rationale (e.g. plans, 

29 strategies and or future technologies) for the basis of the identified solution. An agent may 

30 be asked to apply economic pressure within a supply chain without understanding why it 
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1 will receive personal (and perhaps long-term) benefits. In another variation, if SDI is able to 

2 keep track of an entity's competitors and cooperating partners, then certain amounts of 

3 information can be carefully released to justify decisions. 

4 SDI must retain a considerable amount of autonomy, to apply its knowledge to act 

5 in the best interest of these entities which it represents without being able to disclose the 

6 rationale for their contract recommendation. There is a very significant amount of trusted 

7 information regarding all of the commercial activities, internal operations, marketing , 

8 strategic business and product development strategies, etc. which must be disclosed to 

9 SDI for an accurate assessment regarding the present and predicted commercial impact of 

10 new supply-chain contracts. 

1 1 Furthermore, we must prevent a vendor from exaggerating its value of certain 

12 outcomes, to achieve a good solution. Given this incentive-compatibility problem, and the 

1 3 potential problem of vendors entrusting so much extraordinarily delicate information to a 

14 single entity, we could instead allow SDI to assume many of the roles of a consulting 

15 firm. In this case SDI controls the reporting of information to SDI, and can verify its 

1 6 accuracy. 

1 7 The mechanism for providing value to the recipient (in exchange for providing the 

18 desired action) is flexible and may include (as suggested above) '"upside" value, direct 

19 compensation (or direct "redeemable value"), or an exchange of actions between agents 

20 (I will do X if you will do Y). Part of a deal may be that the provider of a requested 

2 1 action guarantees exclusivity and that it will not provide a similar action for competitors. 

22 A vendor might identify and propose deals to the customers of another vendor, to 

23 apply economic pressure through threatened boycott and compel the vendor to perform a 

24 desired action. This "indirect" economic leverage may be applied at the consumer 

25 (lowest) level in the supply chain, and passed upward. In addition to boycott, a vendor 

26 could promise please note, shouldn't consumers be termed customers of the vendor since 

27 consumers cannot be threatened with boycott) consumers credit in return for taking a 

28 particular action. SDI can mediate the entire electronic control, transfer, fulfillment and 

29 negotiation -processes (typically XML-based) individually on behalf of each entity within 

30 this multi-step negotiation process. In the above applications SDI can represent each 

31 entity in the negotiation process, and also have a role in providing information and 
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1 statistics, expert opinions, etc. which clearly elucidate the value and potential value 

2 opportunities available to the entity(s). 

3 The current model allows different supply chains to compete for the loyalty of the 

4 consumer, e.g., through providing indirect economic value to the consumer as in kind 

5 products/services and/or upside in the benefiting entity. 

6 Economic alliances can be created between vendors, suppliers and consumers 

7 within the same supply chain. SDI can act on behalf of different supply chains and 

8 establish a competing market between different chains for the business and ultimate 

9 loyalty of purchasers. End purchasers have a large economic leverage on a supply-chain. 
10 The decision of an end purchaser will depend on: 

11 

12 1 ) The type, selection and quality of personalized products/services 
13 

14 2) The economic value which a given supply chain is willing to provide a user in 

15 exchange for complying with -particular requests (i.e., favors). This factor may 

1 6 ideally translate to price or loyalty credit. 
17 

18 A part of a consumer's decision may be based on which vendors are likely to use 

19 personal data effectively in the future, to provide for example highly customized 

20 products/services for the individual. Supply chains which can deliver products and 

21 services which are most closely aligned to the needs/preferences of the customer should 

22 ultimately win out by capturing the customer's loyalty. A consumer's personal data can 



23 be quite valuable to a supply-chain, especially if a consumer provides one supply-chain 

24 with the exclusive right to its personal data. In application to the virtual sales person 

25 scheme, customers can receive incentives to solicit other customers as introduced 

26 dynamically via SDI and LEIA [Patent No. XXX], customers that match desirable user 

27 profiles. 



28 The payment that a customer receives for committing to a supply-chain can be 

29 received from all members of the supply-chain that can gain value from the customer, 

30 with "considerations" passed down the chain which are eventually provided in some form 

3 1 of loyalty credit to the customer by the vendor at the end of the chain. Some of the value 
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1 conveyed back to the user can, of course, be in the form of community credit, e.g. 

2 subsidizing a portion of the customer's needs from vendors w^ithin a supply chain. 

3 In this model we can also allows an employee to receive benefits to reflect the 

4 value that s/he provides within the supply chain. Again, a vendor's supplier might even 

5 provide a benefit to encourage the employee to perform well. Valuable employees may 

6 receive more "value bonuses" the longer they stay with the organization, to encourage 

7 them to stay with an organization which needs them, and without the ability to leave a 

8 company once the value of share options has been realized. 

9 With interwoven supply-chains, for example, with the same supplier connected to 

10 multiple vendors, and vendors with competing suppliers, this method of passing value 

11 along the supply chain becomes more tricky. When a consumer applies economic 



12 pressure on a vendor that it deals with in the supply chain, that vendor may inform other 

13 suppliers of the pressure and block service to the user. A bartering system can provide 

14 additional benefits, to allow vendors to exchange bonuses, discounts, etc. with favors 

15 offered to vendors in other value chains. In general it is quite likely that a favor will not 

16 substantially benefit a user in another supply chain. We can also include a method to 

17 prevent a vendor that does not itself offer favors in the supply chain from taking 

1 8 advantage of favors offered by other vendors. This can support cooperation 



19 -within__-the supply chain, and allow effective competition with other supply 

20 chains. 
21 

22 Each vendor in the supply chain can benefit in two ways: 
23 

24 1) They receive a "commission" on the transactions in which they convey the favor 

25 to their customer (which again may be "upside" in the ultimate beneficiary of the 

26 favor and/or product/service loyalty credit with their own supplier). 

27 

28 2) (Most importantly), they receive customer loyalty advantages via the community 

29 credit they provide such customers. 
30 
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1 For reasons of this latter benefit they are likely to compete with other competitive 

2 vendors for the privilege of exclusively delivering the incentive to evoke the favor to the 

3 next level up the supply chain. In this way each vendor below the supplier requesting 

4 stands to gain via customer loyalty benefits by competing with another supply chain. 

5 A consumer can provide value to a supply chain by exclusive provision of 

6 personal data, to allow a supply chain to create specially customized and targeted 

7 products and services. However, it is not necessary for a customer to have an exclusive 

8 contract with a supply chain (although this might bring greater loyalty benefits and 

9 payments). 

10 A variety of different techniques and methods should be integrated and deployed 

1 1 to implement this agent-mediated supply chain value exchange system: 
12 

13 1) Digital contracts to define and enforce particular transacfions and long term 

1 4 business relationships. 
15 

16 2) An SDI infi-astructure to suggest particular opportunifies for a vendor, based on 

1 7 the benefits to the complete supply chain. SDI can utilize as much information as 

18 the vendor is willing to entrust in SDI, to try to identify present and predictive 

1 9 future benefits resulting fi-om actions on the part of other vendors. 
20 

21 3) A means for enabling customers and/or vendors to form coalitions, to strengthen 

22 their ability to provide pressures on other vendors. 
23 

24 4) A mechanism with usefiil incentives for these customers and vendors guarantee 

25 direct benefit even if the desired action ultimately does not result in new value, 

26 e.g., an insurance scheme. 
27 

28 5) A method to exchange terms and conditions between members in a supply chain, 

29 by being passed up the supply chain fi-om the lowest level (consumer), and a 

30 mechanism to provide "fair compensation" for this process. 
31 
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1 6) A method to integrate loyalty benefits and long-term purchasing contracts, etc. 

2 into an electronic cash protocol, so that buyers are aware of all contractual 

3 constraints during negotiations with agents. 
4 

5 7) Methods within SDI to advise a customer about an appropriate bidding strategy, 

6 based on estimated values of different contracts and supply chains, to help the 

7 customer to make a good decision. 
8 

9 8) Methods within SDI to recommend information to reveal to a supply chain, to 

10 maximize the value of a loyalty bonus offered and ultimately received by an 

1 1 agent. Of course, information cannot be falsified, but some information can be 

12 withheld. 
13 

14 Applications of "bribing" the consumers of a vendor: 
15 

16 o A commercial entity is sustaining bad publicity from an article published in 

17 newspaper X. The company could offer the customer base of the publication 

18 (identified via SDI) an incentive to temporarily disrupt or boycott the publication 

19 until corrections/changes are made to the article. The company could also offer 

20 discounted products or services to the consumers, based on information (from 

21 SDI) about their consumption patterns. A more indirect discount could be 

22 provided via other vendors fiirther up the supply chain, via multi-vendor 

23 exchange. 
24 

25 o Company A is a high tech start up selling software products and services to 

26 established vendor B. Vendor B identifies the substantial value proposition of the 

27 products and services provided by the start up, and decides that it should provide 

28 the services for itself "in-house". Start up company A can go to the consumers of 

29 vendor B (information from SDI) and offer a percentage upside, e.g. percentage 

30 equity in the start up, if they will apply a threat to boycott the vendor unless the 

31 vendor agrees to do business with the startup. Company A might even identify 
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1 consumers or suppliers further down the supply chain, and apply indirect pressure 

2 toB. 
3 

4 o Company A is developing a new commercial initiative which may be competitive 

5 to that of another smaller company B, and might harm B's market share. Assume 

6 that consumers prefer B's products to the future products of A, and that B can 

7 make more profits than A. Company B could convince the customers of company 

8 A of these facts, offering them a percentage of potential upside and/or discounted 

9 or value credit towards products. The customer profiles of company As 

1 0 customers also reveal the vendors from which they most frequently purchase, and 

1 1 company B could also offer equity or otherwise some potential upside to these 

12 vendors in exchange for offering discounts or credits to their customers (which 

1 3 are customer A's customers as well). 
14 



1 5 In place of monetary compensation, we might provide a value payment to an agent in the 

16 form of a long-term compensation, based on the long-term value achieved by an agent 

1 7 further up the supply chain. 



18 

19 o SDI can identify the paths in the supply chain between companies, to allow a 

20 sequential transfer of benefits down a chain. Ideally, each entity providing the 

21 benefit is doing business with another next lowest in the supply chain, so that 

22 value can be exchanged. 

23 o SDI might "bribe" each party within a value chain to enter into a contractual 

24 relation which benefits that party (directly or indirectly). 

25 o SDI can determine what companies along this chain would have the greatest 

26 future potential to benefit one another, i.e., where the supplier can generate 

27 compelling long term benefit to each of his subsequent buyers at each level down 

28 the chain. 

29 o SDI can use available information regarding a vendor's internal and external 

30 activities and goals, to identify optimal multi- vendor supply chain models, in 
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1 terms of maximizing the sum value to all members in the supply chain, and the 

2 value of each individual company. 

3 o SDI must also consider the willingness of each vendor to establish the necessary 

4 contractual relationships for the new supply chain. Vendors might provide SDI 

5 with "relationship policies" and "contract policies", to allow this to be factored 

6 into an SDI recommendation. 

7 o SDI models, in detail, the economic value which each scenario provides to the 

8 collective vendors and to each individual vendor. SDI can inform each individual 

9 vendors of its own predicted value, while withholding information about other 

10 vendors. 

11 o SDI can seek coalitions of vendors with similar interests to combine their 

12 bargaining power, and attempt to compel vendors to enter particular preferred 

1 3 value chain scenarios. 
14 



1 5 SDI is privy to most or all of the information relating to all of the companies in a supply 

16 chain, and can be trusted with the task of creating strategic plans between different 

1 7 companies, potentially making the supply-chain more efficient and benefiting all vendors. 

1 8 The strategic plan might suggest: 



19 

20 1) New business relationships between the most synergistic entities 

21 

22 2) Contracts for existing commercial relationships which embody and enforce 

23 specific terms of those relationships within the framework of this optimal supply 

24 chain system. 
25 

26 SDI might also create a detailed system for accounting for the effect of a contract 



27 on the rest of the supply chain (individually and collectively), and predict short and long- 

28 term effects of contracts in advance. This information can be used to encourage the 

29 desired contractual activities on the part of vendors in a chain. There may also be cases 

30 in which the direct/indirect economic impact of a contract upon a vendor results from an 

31 additional secondary economic advantage to that vendor besides the trickle down 
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1 economic effect; for example because of strategic commercial benefits. These factors 

2 can also be considered in an economic benefit model. 

3 

4 Given models to compute the comparative economic value of proposed contracts 

5 to vendors in a supply chain we can demonstrate a "trickle down" economic value chain 

6 in which the success of company A is directly related to the success of company B. This 

7 information can be presented to company A and each intervening supplier. SDI can then 

8 establish long term contracts between each entity in the chain to insure that each 

9 company receives the benefits of products and services from its other suppliers which are 

10 of greater value than without the contract. This trickle-down benefit can be used to entice 

1 1 a company to enter into a recommended contract, for its own benefit and the benefit to 

12 company B. 
13 

14 The benefits which each vendor is predicted to receive in a proposed value chain 

1 5 can be pooled together and used to "bribe" each vendor within the value chain to enter 

16 into the preferred contract. While some value chains may actually be willing to provide 

17 greater compensation to a vendor, the goal is to link a vendor's decision to the value of 

1 8 the complete value chain, both future and present. 
19 

20 Of course, vendors may face risks in committing to long-term contracts, 

21 particularly when many vendors in the chain must prosper for the value to be realized. 

22 SDI might introduce a number of decommitment clauses to allow a vendor to back out of 

23 a plan, perhaps reverting to a "plan B" which protects the interests of harmed vendors 

24 while retaining as much value to other vendors, i.e. allowing all vendors to contribute to 

25 the cost of failed contracts. Alternatively, we might create a futures market in which the 

26 risk of the future value can be traded in real options, within a public market — providing a 

27 financial instrument to share risk. In this case, if some measurable form of economic 

28 benefit such as sales value (for e.g., the particular relevant product line), possibly 

29 stock values, profits, etc. falls below a target level the vendor may be compensated for its 

30 initial risk, i.e., secure a worse-case outcome. 
31 
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1 It may be important in high-growth markets such as technology, with high risk 

2 companies, to allow insurance for contractual non-performance of suppliers. 
3 

4 SDI can leverage available data to compute the most beneficial economic scenario 

5 for all associated vendors collectively, and also to compute optimal scenarios for each 

6 individual entity. SDI can disclose the complete picture to each agent, and then allow 

7 individual vendors to optimize their local plans in a global plan. To effect a new scenario 

8 though, agent agreement is required. Another mechanism could have SDI report the 

9 optimal global scenario, and the optimal scenario for each individual agent. Then we 

10 could allow agents to negotiate, to find a multi-agent compromise outcome that is more 

1 1 efficient than the current solution but possibly not as good as the globally optimal new 

12 supply chain. The decision of an individual agent to enter into a proposed contract will be 



13 determined by the cumulative value, short term and/or long term, to that entity, consisting 

14 of the predicted value of taking an action (e.g. breaking a contract, initializing a new 

15 contract) both in terms of immediate bonus to a vendor, long-term individual benefit, and 

16 trickle-down benefit because of global supply chain improvements. 
17 



18 Each vendor must provide SDI with as much information as possible about the 

19 particular conditions under which it will perform new contracts, such as its preference 

20 between short term and long term predicted benefits, etc. SDI looks for outcomes that are 

21 favorable to individuals and to the overall system. Value can be realized in short-term 

22 payments and long-term bonuses. 
23 

24 Additional examples include: 
25 

26 o Company A may threaten to file a lawsuit against company B- (which could be 

27 very damaging to company B). In a similar barter exchange, company B can 

28 barter its own value (in the form of upside or products/services) as offered to the 

29 customers (or vendors of the customers) of company- A, targeted to only those 

30 customers that reside within the same supply chain. Thus, by limiting the value 

3 1 proposifion to only these entities, and not to those which reside within the supply 
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1 chain of a competitor, the value of the potential upside is worth more because it is 

2 partially predicated upon their own direct success. Again, it is also possible to use 

3 an indirect strategy, bribing entities or individuals of influence within a given 

4 company from which a particular action is desired. 
5 

6 o In another novel application there are certain activities among certain individuals 

7 which are considered to be mutually and collectively advantageous or 

8 disadvantageous to all members of a certain vendor community. We can have all 

9 members contribute money into a fund. The desired actions would be rewarded 

10 appropriately while these not desirable are punished. Ifi^when an undesirable 

11 action is performed all vendors can threaten to boycott that action (creating a 

12 significant disincentive to the user). The individuals may also be subject to 

13 boycott by other entities which the present individuals rely upon economically (as 

14 buyers or sellers). 
15 

16 o Company B is a large entity discussing a major partnership deal with company C 

17 which involves a large development initiative to supply company C with 

18 technology. SDI is confidentially apprised of the negotiafion via company C and, 

19 in accordance with its privacy policy, allows SDI to notify and apprise company 

20 A of this developing prospective deal. Company A (a smaller company) initiates 

21 a counteroffer to company C, and is willing to share a portion of its upside 

22 (resulting -from the deal directly or from its own equity) to customers of C if they 

23 can convince company C to deal with company A. SDI may finally suggest a 

24 boycott -or reduction in business unless company A is selected. 
25 

26 o A high tech start up is in the process of seeking new or additional fiinding. SDI 

27 can identify a potential customer base and collection of strategic partners, and 

28 also likely indirect beneficiaries of the technology, products and services in the 

29 supply chain. These entities and their consumers can then be incentivized to place 

30 economic pressure on the necessary financing institutions. The commercial 

31 enfifies themselves may also be incentivized, for example potential direct 
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1 suppliers or customers can be informed that investment will provide an 

2 opportunity for new guaranteed business or value concessions. These entities 

3 might also apply direct pressure on their own financing institutions. The scheme 

4 extends to existing suppliers and customers. 
5 

6 o An entrepreneur with a new start up venture can find companies (e.g. suppliers, 

7 etc.) that will benefit from the new company, and seek funding fi*om those 

8 entities, in return for providing a long-term share in the company. SDI can 

9 contract all the relevant strategic partners before a funding commitment, to 

10 provide more information and reduce risk. Other equity shares could flow fi*om 

11 marketing agreements, e.g. a co-branded affiliation of all further 

12 products/services. The new company might also guarantee an exclusive contract 

13 with another entity. An entrepreneur might also be willing to sell a company to 

14 the more established entity, e.g., within a year or two, this can be contracted at the 

1 5 outset. The present framework allows value from long-term strategic alliances to 

1 6 be released. 
17 

18 Within SDI we can adapt a user's personalized portal browser to favor the 

19 vendors providing such value opportunities to the consumer. A vendor could achieve 

20 additional market share by complying with requests of another vendor. The value 

21 proposition as presented to the user can leverage the personalized browser user interface 

22 to prioritize a vendor's offers in the future. 
23 

24 Example Commercial Application. 
25 

26 An investor has invested in a very high risk venture relating to highly speculative 

27 stem-cell research. After years and millions of dollars, the venture finally goes out of 

28 business (or becomes acquired on the verge of bankruptcy) the investor loses all of her 

29 investment, however terms in the original investment contract (which involved at the 

30 time the approval of a variety of medical organizations most likely to benefit from the 

31 eventual medical science benefits of the research) now enable the investor to acquire in 
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1 kind benefits (which may include anything from equity in these various medical 

2 organizations to goods/services provided by them). A portion of the value may even 

3 include a sizable amount of value provided by the original company and/or indirectly vis- 

4 a-vie the remaining medical entities, a substantial amount of value within the barter 

5 exchange for favors. 
6 

7 With time, stem cell medical applications proliferate thus, the "upside benefit" 

8 increases in proportion over time. However, if this "up-side benefif ' (of the original 

9 collection of contracts from the various relevant companies in the field to which the 

1 0 original research activities pertained) was insured through the futures market the investor 

11 can benefit from the value and growth. Investors can include researchers whose 

12 contribution of time and effort and dedicated focus on the problem had been estimated. 

13 This can allow valuable talent to receive the incentives to join the initiative from the 

14 outset in a way which would be very difficult to achieve with other standard recruiting 

1 5 approaches. It is important in this scenario, however not to over incentivize the managers 

16 and executives such that they may lose incentive to make the company succeed. In this 

1 7 scenario that the company does not go bankrupt, proper incentives could be provided to 

18 further encourage similar scientific and innovative entrepreneurial initiatives in the 

19 future, thus a portion (perhaps a fraction of the upside in these other entities could be 

20 provided even in the event of success (and irrespective of the level of risk associated with 

21 the original venture). Certainly the field of stem cell research is only one example of 

22 many speculative new technology fields with potential for enormous overall impact upon 

23 all aspects of the economy and society. Another example cited elucidates other potential 

24 features and variations of the present novel scheme. The field of na- — technology is 

25 believed by many to become perhaps the most important and pervasive technology 

26 paradigm of the twenty-first century impacting almost every industrial sector. As such, 

27 many different critical problems will need to be solved, each with potentially enormous 

28 associated economic opportunity. There is, however, considerable risk associated with 

29 the probability for industry and research institutions to realize these significant returns on 

30 investment for any given industrial sector or application domain (however, by no means 

3 1 is this true for the overall field of nanotech). Also breakthroughs in any one application 
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1 domain will substantially advance the state of the art for potentially all other application 

2 domains. It is reasonable for SDI to create a futures market in which it predicts certain 

3 long term but very realistic goals for each application domain of nanotech. Through 

4 cooperation with industry and the investment community it may further pre-contract with 

5 various present and potentially future entities which are most likely to be direct 

6 beneficiaries of the technology which is spawned from the initial extremely high risk 

7 commercial ventures pioneering the basic technology. As in the stem cell commercial 

8 example percentages in the various longer term beneficiaries can be used as a strong 

9 inducement to present prospective investors in the pioneering commercial entities. As 

10 suggested, this percentage may be inversely related to the degree of success of the initial 

1 1 venture and if desired, the risk may be further reduced through the use of a futures market 

12 which essentially assures the predicted economic marks of these various 

13 prospective commercial endeavors. The wise investor in the futures market will seek 

14 diversification of investment across many different technological sectors of nanotech 

1 5 (thus assuring the large upside which is certainly to occur universally but not necessarily 

16 for any one given application commercial domain. SDI could further mediate the long- 

17 term opportunities to the original investor by mediating, for example, technology transfer 

18 and licensing intellectual property to present or prospective commercial entities which 

19 have thus agreed to operate under the terms as provided by SDI. In exchange, SDI could 

20 also (as above suggested) provide a resource and technology sharing service and 

21 associated partnership brokering service (between potential multiple companies 

22 containing potential commercial synergies). In addition it may work with the investment 

23 (particularly incubator community) by which it may, without disclosure, of commercial 

24 strategies and technologies which are presently or prospectively planned across the entire 

25 nanotech industry of disclosed suggestions for particular commercial and technological 

26 opportunities which would appropriately complement and benefit the global strategy or 

27 nanotech which is known exclusively buy SDI. This approach in addition to emulating 

28 the same united focus and integration of multifaceted technological and R and D 

29 initiatives can also ensure the proper distribution of efforts within each technical 

30 application domain, the appropriate sharing of information whenever potential for 

31 technological complementarity, but not commercial competition exists (which SDI) 
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1 strives to achieve on an industry wide basis) and the assurance that companies and 

2 departments do not duplicate their efforts if at all possible. The investment community 

3 through SDI could certainly stimulate conditions as above which band aid the adherence 

4 to these terms as a condition to investing. SDI, through incubators could additionally 

5 disclose particular commercial and technologic opportunities which are both synergistic 

6 to the global SDI strategy as well as pre determine (visa vie SDI's extensive in depth 

7 research on the industry to possess significant commercial opportunity. Based upon 

8 some existing companies technical proficiency and commercial strategies, some of these 

9 emerging opportunities could be disclosed as potential (suggested extension of existing 

10 departments or divisions based upon their individual areas of expertise and particular skill 

1 1 sets of its employees. 
12 

13 The present system methodology (of business to business and business to 

14 consumer) may also be extended to include other variations including consumer to 

1 5 business or consumer to consumer. An example of the former could be an employee who 

16 is slated for lay-off or firing within a large organization. The indirect effect of the lay-off 

17 could result in a negative impact upon the individual's financial welfare and indirectly 

18 upon the professional contributions of that employee's children. The likely potential 

19 beneficiaries (corporations) may identify potential lost revenue streams and effectively 

20 bribe the present organization with "value" to avoid the lay off. It is also noteworthy to 

21 mention that the justification for accepting the offer for the second organization is more 

22 compelling if there exists a "trickle down" economic impact, ultimately upon the first 

23 organization (and certainly SDI, within the present fi-amework, would factor such small 

24 economic negative factors into the optimization model for the most efficient supply chain 

25 of vendor relationships). 
26 

27 Within the scope of the present example, it is possible to create a form of 

28 insurance in which SDI identifies extremely similar circumstances where similarity is 

29 measured primarily by the nature and scope of the opportunity and its associated risks as 

30 well as the entity whose critical action is necessary to bring about the desired objective. 

3 1 In this case, the individuals (or entities) benefiting from the desired action are able to 
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1 effectively conceive to contribute a certain level of value to the collective group to 

2 effectively insure the desirable outcome on behalf of all of the members of that group, 

3 such that, if the desirable action on behalf of the other entity (in this case the large 

4 organization contemplating substantial layoffs) does not concede to the desired action for 

5 one or more of the individuals, this value contributed from the group is used to apply still 

6 greater economic pressure upon the entity to perform the desired action. If this does not 

7 facilitate the action, the value is instead applied in another (albeit less optimal) form to 

8 compensate at least a portion of negative economic impact upon that individuals/entity of 

9 course, the level of risk may influence the amount of insurance each individual/entity is 
1 0 willing to contribute within a given group. 

11 

12 1. There are numerous other extensions and potentially practical applications of the 

13 present novel methodology, particularly those applied primarily at the consumer 

14 level, and where consumers are provided with an infomediary such as SDI to 

1 5 represent the most individually beneficial actions within the present agent mediated 

16 contract negotiation framework. One of the significant technical advances of SDI is 

1 7 the ability to not only represent the particular best interests of an individual (or other 

18 entity but also provide; (1) knowledgeable experts -(or "knowledge proxies") who 

19 within the information rich economic and political universe is able to offload the task 

20 of acquiring constantly updated and changing and expanding expert knowledge 

21 within each domain and sector of the economic and political systems. In this regard 

22 SDI may, as a service to consumers, represent consumers according to which overall 

23 economic scenario which best represents their socio-economic interests which may 

24 factor in both long term or short term monetary benefits and/or socio-economic 

25 benefits and/or (if they differ in any way from above) personal or political views or 

26 objectives. The use of collaborative filtering may provide a usefiil tool for assuring 

27 that proper recommendations for political views reflects economic political and socio- 

28 political information available about the user, such economic data of which is 

29 typically gleaned passively and may be confirmed by active confirmation of the user 

30 along with political views and positions on political issues which may prompt the 

3 1 user in order to collect rapid profiling information about the user is overall political 
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1 objectives. Thus SDI can effectively in practical terms provide a "continual" 

2 personal advisor to guide all consumer activities (via contracts) as political decision 

3 making policies, and even these consumer actions to indirectly (via the supply chain) 

4 apply political pressure upon organizations in order to achieve certain desired 

5 economic, or even politically advantageous objectives, at an individual level. 

6 Accordingly, once they are certified on an individual level, SDI could provide 

7 synergistic benefit to the ultimate political objectives of each person individually by 

8 creating a "global political support strategy" for each group of individuals sharing the 

9 same political objectives. SDI may develop information models based on relevant 

10 historical data of what political and economic impacts resulted fi-om politicians and 

1 1 political camps and combinations thereof within political and economic conditions 

12 which are similar. Within the firamework of this methodology an extremely valuable 

13 technical advantage of SDI is its capability to monitor huge volumes of information 

14 fi*om not only organizations but also news feeds, legal cases, government regulation 

15 over industry and profession (which may indirectly affect quality of life of 

16 individuals), and/or monetary status of individuals. Case in point, within the health 

1 7 care industry there is a significant amount of covert, however, aggregious attempts by 

18 both government and private sector HMO's to limit the quality, scope and depth of 

19 health care services which can be provided to the consumer. In accordance with the 

20 present SDI fi-amework, an SDI agent acting on behalf of each individual could 

21 effectively create an economic and political coalition with the collective economic 

22 ability to boycott the most aggregious violators of their monetary and health care 

23 benefits, apply political pressure through believable, perhaps even irrefiitable, threats 

24 (through individual contractual obligations with SDI) to mandate changes to those 

25 particular policies (be at the governmental, regulatory or legal levels) so as to 

26 bring about the desired results at the consequence of voting the relevant decision 

27 makers out of office (directiy or vis-a-vie their political appointees). SDI, in 

28 accordance with its fimctional objectives could also certainly supply valuable 

29 information to users supporting its internal rationale for structuring such coalitions by 

30 estimating and presenting to the user such data as the predicted degree of reduction in 

3 1 the quality of health care (fi*om physicians and hospital for that user and her family 



Page 239 of 381 



SUBSTITUTE SPECIFICATION 



1 based upon the negative impact which the present system has upon these entities. In 

2 addition, it may be advantageous for the most aggregious abusers to be boycotted by 

3 individuals collectively. Based upon the knowledge available to SDI, it may be 

4 advantageous to pre-commit or provide a polling-based solution for the individuals 

5 constituting these coalitions as to their responses to the desirable actions prescribed if 

6 the user rejects the recommendation, SDI may further query the user and/or suggest 

7 an alternate strategy (suggest one to SDI). This data about the political issue 

8 strategy(s) which the user support may then be used in order to provide direct 

9 feedback to politicians with sufficient notice with which to pre-formulate their 

1 0 political strategies at both the micro and macro levels with which to best comply with 

1 1 the adopted or otherwise recommended political and/or economic edicts according to 

12 SDL Or, if it is determined that such pre-knowledge could be abused in such a way 

13 as to politically manipulate campaigns, large employers, etc. undermine the political 

14 support for these edicts, SDI may determine that it is advantageous to not disclose 

15 such information in advance to the target political groups (this, however, is a very 

16 subjective and complex analytical process). Thus SDI, representing each common 

17 group, must determine and predict which politicians are most likely to ultimately 

18 support the issues which are most important to their political objectives for which 

19 advanced disclosure of their own political support strategy is likely to advance the 

20 strategic knowledge of that politician while assuring that none of their positions on 

21 none of the political issues are likely to be ultimately abused by that politician by 

22 him/her ultimately changing his/her position on that issue in order to improve his/her 

23 chances of election. For this reason, it is also of interest to each group to attempt to 

24 predict the ultimate position that each other group is likely to assure for each political 

25 issue in order to determine whether or not pooling their collective influence on that 

26 particular issue (including free disclosure to those "trusted" candidates) would be 

27 advantageous or information which would be potentially harmful to pre-release to a 

28 potential adversary on that issue (which it may ultimately disclose to a candidate 

29 opposing that issue and/or modify its own political strategy in a manner which is 

30 ultimately antagonistic to the interests of the welfare of that issue or theoretically 

31 even issues which that group may wish to disclose in the interest of providing further 
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1 support for the global political strategy through this form of coalition creation). It is 

2 worth noting that within the scope of the present framework it is likely that the 

3 availability of such detailed information, both predictively and at an individual level, 

4 regarding the ultimate political and economic effects which certain voting in other 

5 political support actions via SDI are likely to imply, it is extremely likely that 

6 members of each group may be reluctant to provide information, regarding the groups 

7 political strategy to public polls. 
8 

9 Thus it is a primary objective within the scope of the present system's formation 

10 of common political support strategy groups to ascertain each individuals user's ultimate 

1 1 political objectives based upon the analysis which provides analysis and prediction of the 

12 present and likely future effects, both politically and economically from the standpoint of 

13 that individual (which may include social, professional and predicted individual investor 

14 oriented direct and indirect consequences at a detailed level as it relates to that individual. 

15 And secondly, to formulate a global political strategy based upon these objectives which 

16 are represented by an SDI agent and which is able to recommend actions and, as such, act 

17 as a coalition on behalf of the constituent individuals, and including negotiations for 

18 further coalition formation on various portions this global strategy in order to further 

19 enhances the collective power wherever common interests can be safely identified and 

20 shared to both groups' mutual best interest. 
21 

22 -The effects on commercial industry, even specific businesses in which certain 

23 actions are likely to result, may be modeled and presented to the user as well as the 

24 effects upon the user in light of the investment portfolio of the user. If a particular 

25 political position were to be taken, the system could even recommend 

26 

27 which is most compatible with a particular political position. 

28 

29 Continuation to Supply Chain Section 
30 
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1 It is also possible to utilize the extensive information in SDI to instruct each 

2 political support group's most advantageous supply chain structure in order to be able to 

3 recommend certain strategically advantageous cases of tax dollars which facilitate the 

4 construction of such supply chains in accordance with the above methods above 

5 described. It should be noted that a "political group" may be further subdivided into 

6 groups based upon purchase affinities (which themselves suggest different group 

7 divisions) which in turn may bribe or boycott commercial entities as needed to achieve 

8 their most advantageous strategy as consumers or simply individual users (as economic 

9 entities). Each subgroup (via SDI) may further augment their economic leverage with 

10 their political leverage (over tax allocation decisions). E.g., if candidate X supports this 

1 1 particular supply chain strategy and if he is elected then it is most optimally advantageous 

12 to also utilize consumer leverage in supporting transactions with certain vendors and 

13 boycotting others in order to support or complement the politically (tax) funded strategy. 
14 

15 As suggested, SDI may be used to facilitate the matching and strategic formation 

16 of coalitions of groups which are most likely to benefit one another on particular political 

17 issues or formation of strategic contractual relationships between commercial entities 

1 8 (SDI is able to determine if/when certain information is helpful or harmful to disclose to 

1 9 another particular entity). Each group may exert particular leverage over politicians. I.e., 

20 not only could the politicians receive feedback as to the political issues and economic 

21 (commercial) alliances which are most advantageous but also the groups could upon the 

22 advice and direction of SDI make their votes conditional upon the politician supporting 

23 certain issues or economic actions. SDI could provide real-time feedback right up until 

24 the election as to the numbers and percentages of users who had supported the candidate 

25 and the candidates response to them. There are other instances in which the leverage 

26 could be used to incentivize commercial entities to support certain political concerns e.g., 

27 if company X donates percentage of its revenues to the United Negro College Fund group 

28 Z will support the facilitation or an alliance between company and a major manufacturing 

29 firm (e.g., by putting consumer pressure upon those retailers which are the 

30 manufacturers' customers to in turn threaten temporary boycott of the firm unless the 
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1 stipulations are met or if they are not consumers to instead offer consumer loyalty (e.g. 

2 through dedicated currency). 
3 

4 A variety of applications of the present scheme are conceivable such as local 

5 politics such as commissioners office and board members delegated for purposes of 

6 masterplaning and use applications and allowing or disallowing certain real-estate and 

7 highway development projects. Certain commercial projects, for example, could be of 

8 substantial benefit to certain commercial entities which could provide considerable direct 

9 long term economic benefit to citizens in the local community even directly to the 

10 individuals in the communities (who elect those officials) as well as contribute indirectly 

1 1 via the available tax base. Or certain commercial entities could, for example, directly or 

12 indirectly provide economic benefit to certain individuals, e.g., if they are employees, 

1 3 investors or commercial entity which is in some way commercially dependent upon that 

14 company, e.g., for commercial business if it is a customer or altematively a supplier and 

1 5 the impact of its resulting success in general (or even local presence) would again provide 

1 6 trickle-down economic benefits to that entity. In accordance with the present application 

17 it may even be possible to estimate values for such factors as, for example, the economic 

1 8 impact 20 years in the fixture upon commercial business and industries in the local region 

19 (as well as nationally) if local schools are provided with a 10% vs. a 7 V2% share of the 

20 local tax base. With these predictive models, the associated prospectively affected 

21 commercial entities could, effectively encourage SDI acting on behalf of the local 

22 citizens to form a coalition which makes their voting of the relevant elected official(s) 

23 contingent upon the increased tax allocation for local schools (the specific preferred users 

24 could be predefined as well). SDI acting on behalf of the interests of the prospectively 

25 affected commercial entities could bribe the citizens with either (preferably) such benefits 

26 as in kind, goods/services which could in turn be leveraged through the supply chain or 

27 through a barter exchange system or employment benefits or wage increases (which again 

28 could be effectively treated as a barterable commodity subject to the above conditions of 

29 avoiding interactions with competitive entities. Such modelling could be extended to 

30 many other situations, e.g., allocation of fiinds to police, fire and EMS services, 

3 1 approving and providing highway improvement again may provide the above benefits 
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1 etc. providing safety and preserving the health, welfare and life (in addition to 

2 educational quality) of a certain number of individuals (each with a certain predictively 

3 modeled) local economic impact. The cost versus impact affecting each citizen could be 

4 presented to them by SDI accordingly in order to elucidate their decision making 

5 processes. 

6 There may be certain instances in which users at an individual level may be able to 

7 provide predicted this benefit can be quantified towards commercial 

8 entities or even individual users if particular events can be achieved (or particular events 

9 prevented). For example, consider a student who is determined to be capable towards 

10 achieving substantial real-world success, hi one instance the student cannot afford tuition 

11 for graduate school, hi another instance, the student cannot afford to continue his/her 

12 studies due to depleted financial resources. The present system may model and predict 

13 likely beneficiaries commercial or even individuals who are likely to benefit and 

14 accordingly "insure" certain long-term monetary benefits (if a commercial entities) or even 

1 5 personal or social benefits (if an individual). 

16 Intemet piracy of copyrighted information is costing authors billions of dollars per 

17 year. Technical experts (e.g., within SDI or outside "domain experts" which SDI had 

1 8 identified and presented the problem) identify a technical solution consisting of a ground 

19 breaking technology which could greatiy reduce total piracy fi*om occurring, however, such 

20 solution would require cooperation fi'om all of the Intemet server manufacturers. There is, 

21 of course, the small risk that in the relatively short-term the technology will partially or 

22 completely fail (e.g., copyright pirates find a way around the solution) before a sufficient 

23 amount of revenues are realized by the copyright owners to off-set the cost, and justify the 

24 expenses to the server manufacturers, of integrating the technology into their services. 

25 ;ln addition, if copyright owners receive their rightful share of royalties, more Web 

26 servers will be sold in general to host such content. (Insert 2 firom page 3) SDI can be a 

27 facilitator to enabling a beneficial solution to the industry in the following ways: 

28 1 Present estimated industry-wide revenue losses compared to the industry-wide 

29 the server manufacturers as a group sustain (based upon sales data each one 

30 individually and secretly submits to SDI). 
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1 2 Also present the increased sales the industry would sustain if the copy-wright owners 

2 received their rightful royalties to the extent which the solution is able to provide. 

3 3 Provide insurance or create a future market to insure investors who would invest in the 

4 commercial opportunity for a share of the anticipated monetary benefits to the industry 

5 (such investors could include members of the industry). 

6 4 Negotiate a deal with investors and/or an insurer (the latter of which could also be SDI 

7 representing the industry). A SDI again, of course, may also represent the investors. 

8 Information which is enclosed may, for example, contain in addition to the identity 

9 of the prospective investors, the complete discussion of the economic benefits which each 

1 0 individual investor could potentially sustain, however, this information is disclosed only to 

1 1 the SDI representing the collective interests of the prospective investor coalition (a primary 

12 directive of which is to never compromise the data disclosure policies of any individual 

1 3 investment entity, even if such disclosure to one or more of members of the group may 

14 ostensibly benefit the collective group). It is thus the objective of this collective SDI agent 

1 5 to make individual date disclosure recommendations for each prospective investor that will 

16 optimize the probability that the basic fi-amework of the collective cooperative group is 

17 successfiiUy created while enabling the individual entities to withheld sufficient strategic 

1 8 information fi*om the group in order to optimize its own negotiating position with the other 

19 entities. For example, it would be particularly advantageous to disclose credentialed 

20 information regarding the benefits which the investor could provide to the collective group 

21 of investors (based upon the existing investor information disclosed by the associated 

22 companies) and information regarding the existing relationships which that investor has with 

23 existing companies which could, in turn, provide positive benefits to the companies 

24 constituting the global investment strategy of the group and (in the case of negotiating with 

25 each given individual investor prospect) the benefit to companies which that investor has a 

26 relationship with and made available to tiie present investor prospect. These companies 

27 may also include tiiose which SDI has recommended to that investor as part of the global 

28 investment strategy for that group. 

29 uUser's reactions to various events and stimulate the video programming can be 

30 captured, aggregated and accessed by present viewers such video in real-time or 

3 1 asynchronously for fiature viewers of non-live content by user profile (or content profile) or 
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1 by similar users to that of the profile of the user. Observing reactions/responses to political 

2 or ethnic jokes by that group which is targeted or other groups may be interesting to users to 

3 observe as a simple example. Reactions/responses to news or political events by different 

4 groups or those most effected thereby may be of interest to users. 
5 

6 13,1 .7 Off-line Variations 

7 We can allow the community dollar/iamworthit model to extend to physical 

8 transactions, for example via smart card technology. A buyer can carry a smart card with 

9 community dollars, that are loaded from the user's computer device, or fi-om some third- 

1 0 party operated kiosk. 

11 For vendors who offer the integration of community dollars into their discount 

12 programs (e.g. may be members of a vendor coalition) the buyer may at any vendor 

13 terminal, kiosk or his/her PC upload targeted- vendor promotions such as digital coupons 

14 which are tailored to the users profile. This profile is downloaded to the vendor and which 

1 5 consists in part of the recent purchases s/he had recently made at the various vendor stores. 

16 In another variation, the community dollars may be coded into a form which is bar 

17 code reader enabled and distributed to the buyer electronically or potentially if used in 

18 conjunction with a traditional loyalty points program, additionally printed for the buyer at 

19 the vendor's physical location (such as point of sale or kiosk), applied in conjunction with 

20 purchases at the vendors physical location. At which point typically a new coupon is 

21 reprinted containing the updated secure information pertaining to the buyer's conmiunity 

22 dollar and/or loyalty points account. 

23 hi another variation, a promotion for a yearly allowance of community dollars could 

24 be printed as an advertising offer on a magazine coupon, newspaper insertion or direct mail 

25 piece which could contain a unique URL (typically the actual URL for the iamworthit 

26 community dollars subscription site with a unique post script as the character string ("code") 

27 identifying that particular vendor and/or that promotion) fi-om which the buyer could 

28 subscribe to iamworthit, wherein the unique URL acts as an identifier for that particular 

29 vendor's promotional piece fi-om which the buyer originally received the offer for his/her 

30 own community dollars promotion. 
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1 Within SDI we could send physical solicitations to buyers, and allow buyers to 

2 access promotions pseudonymously. SDI can target a selected audience for each vendor. 

3 Example: An iamworthit card in accordance with the pseudonymous payment methods 

4 described above, such a card could be a direct extension of SDI into the off line 

5 environment. Buyers could use this card as an identifier such that when they travel 

6 physically fi^om vendor to vendor, their profile data can be readily identified where data 

7 pertaining to their own behavior and policy (depending on their data release potentially part 

8 of the vendor's user profile data) is retrieved. 

9 If a smart card is used this user profile data may not have to be remotely retrieved 

1 0 but may be stored on local memory on the card itself along with the client-based pseudonym 

1 1 proxy server. In one novel variation, a card is done away with completely by virtue of 

12 revolutionary technological breakthroughs in being able to instantly and positively identify 

13 buyers biometrically using iris scanning techniques (which may in a variation be fiirther 

1 4 combined with facial recognition techniques). Many vendors will wish to utilize user profile 

1 5 data in order to deliver promotions targeted discounts and promotions (see pending patent 

1 6 "System for Customized Prices and Promotions") 

17 13^1 .7.1 ^Location Enhanced SDI System 

18 The co-pending application entitied "Location Enhanced hiformation Architecture" 

1 9 (LEIA) describes an integrated advertising delivery platform which selectively targets buyer 

20 personalized advertising based upon both the buyer's personal profile and the present 

2 1 location of the buyer which may suggest appropriate ads fi-om vendors which are local to the 

22 buyer, wherein user identifiers (UID's) which could include any of the above identification 

23 media provide the essential elements for this buyer targeting platform. With LEIA 

24 information providers can utilize location information, in addition to static and dynamic 

25 profiling information. The method customizes the information that is displayed on a private 

26 or public information device to the real audience in the vicinity of the device, instead of a 

27 predicted audience. LEIA collects an extremely detailed and comprehensive information set 

28 about the daily activities of a user, enabling enhancement of the user profile with location 

29 information and temporal activity pattems. The co-pending LEIA patent suggests 

30 appropriate application environments, for example in a smart home, an office, on a mobile 
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1 shopping device, and in an automobile. A LEIA-based system stores personal information 

2 on users. 

3 We can extend LEIA by incorporation with the Secure Data Interchange system that 

4 we teach in this patent. SDI enables the user to receive the benefits of powerful and well- 

5 directed information, but within a system that respects his/her privacy requirements. The 

6 interchange acts as a secure data warehouse for users and information providers, enabling 

7 information providers to target users without revealing private information to the providers 

8 directly. As described in LEIA, the privacy architectures provided for in LEIA and SDI are 

9 all the more critical as components of an SDI enhanced LEIA system architecture given the 

10 extreme sensitivity of personal location data which must be securely protected in both real- 

1 1 time and within an asynchronous context. 

12 LEIA customizes information that is displayed to an information recipient based on 

13 object profiles and physical location of users. Presents the information most relevant to the 

14 REAL audience, not a predicted audience per se. Because of LEIA's ability to combine 

15 user's preference information with information about their current physical locations and 

16 deliver advertising which is both of personal and location contextual relevance to the user, 

17 LEIA provides a valuable enhancement to the targeted advertising services provided by 

18 iamworthit. For example, instead of advertisers being limited to accessing desired 

19 preference attributes of users in the pseudonymous user database exclusively they may 

20 additionally access prospective target recipients by present (or anticipated fixture) location 

2 1 parameters of users connected to mobile and even terrestrial commimications networks. 

22 In accordance witii the iamworthit targeted advertising platform either advertisers 

23 select user profile attributes which they are interested in or the system matches their ads 

24 automatically to the most relevant users. The former application may be performed either 

25 within the context of the pseudonymous user database which the vendor queries or targeting 

26 rules which s/he provides which control the advertising and pages which are dynamically 

27 generated for each user based upon his/her user profile. Whether the user's location is 

28 detected on a mobile network or a terrestrial network including telephone or cable TV, 

29 LEIA's location features are able to provide additional usefiil features regarding users to the 

30 vendor's rules interface or to the pseudonymous user database controlling dynamic page 

3 1 generation at his/her site. 
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1 For example, at a bookstore, we can recommend isles and particular books; at a 

2 supermarket, can play music preferences; smart-radio, play appropriate channels in a cab 

3 based on target object profiles (as meta-data). As suggested in issued patent "System for 

4 Broadcast of and access to Video and Other Data Using Customer Profiles" appearance of 

5 relevant selections can be continuously scanned for, dynamically selected and presented to 

6 the buyer in the form of "Virtual radio station". Such a system can also be linked to a 

7 service for making an instant purchase, or linked to a database (in conjunction with LEIA) to 

8 recommend where a buyer should physically go to make a purchase. For example, music 

9 selections that the buyer is presently listening to may be ordered. 

10 Also, it is possible to provide advertising which is targeted to a buyer by 

11 automatically recognizing pre-existing conmiercials and replacing them with targeted 

12 counterparts. This can be done through the identification of previously played commercials 

13 for example, commercials that have been manually identified and classified. Upon 

14 recognition, targeted commercials (including those which are targeted by buyer location in 

1 5 accordance with LEIA) may be inserted into these spots, and delivered and/or pre-cached 

1 6 through cellular, satellite or radio communications. 

1 7 At a public phone we can identify a buyer with his/her calling card, and deliver 

18 targeted advertisements, via the public telephone readout or delivering the targeted ads as 

19 audio messages in which server software at the phone switch (an ISP level proxy) 

20 recognizes ifi'when the buyer is put on hold and delivers audio and/or audio/video 

2 1 advertising to the buyer accordingly. 

22 Targeted discounts and advertisements can be delivered at kiosks, for example using 

23 a credit card/smart card/other ID method (e.g. biometric.) Similarly, we can use credit 

24 cards to deliver targeted print advertisements on the backs of purchase receipts, e.g., 

25 supermarkets or fixeling pumps or, altematively, on a sheet dedicated for a advertising 

26 purposes conjunction with public copiers or printers or in another variation, on the cover 

27 sheet of incoming faxes which are sent to the buyer's fax machine or in which the buyer is 

28 otherwise identified automatically fi-om the recipient's name field on the cover sheet. 

29 One application includes "Smart Home Intelligence", where methods are disclosed 

30 by which users' real-time behavior may be profiled through their movement throughout 

31 their home, and specific interactions with the various network enabled appliances 
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1 throughout the home. Other inputs may include the user's speech patterns (using voice 

2 recognition in combination with text analysis). It could for example, note the user's speech 

3 content patterns in real-time. Such information provides invaluable clues as to the user's 

4 present activities, mood and interest state and may be processed by the presently described 

5 algorithms tuned with location/time features typically using the assistance of human data 

6 analyst to identify the key features and correlations. (This information may also provide 

7 enhanced information pertinent to the user's general, static preferences as well). 

8 Other extensions of this scheme are also considered e.g. within the context of the 

9 user's office, or automobile and pedestrian activities. This application may thus extended 

1 0 the usefiilness of the iamworthit model to advertisers in being able to target users through 

1 1 the presently anticipated on-line media as well as networked appliances and in either case, 

12 based upon the relevant context of users' present activities and behavior (and from this 

13 potentially their inferred moods or mental states) within their homes and elsewhere. 

14 Additionally (perhaps most importantly), LEIA provides a highly beneficial value to 

15 vendors whose customers purchase primarily from the vendor's bricks and mortal store 

16 presence. SDI can identify multiple vendors which share a common physical location. 

17 Additionally, LEIA can also identify the physical location of buyers on mobile and 

1 8 terrestrial networks and suggest the sharing of off-line prospects for these off-line retailers 

1 9 on the basis of not only interest but physical location. 
20 

21 13,1 .7.2 _Digital Set Top Box Methods 

22 Similarly, we can deliver targeted advertising and other information through cable 

23 TV systems, as described in the issued parent patent application entitled "System and 

24 Method for Scheduling Broadcast of and Access to Video Programs and Other Data Using 

25 Customer Profiles" US Patent # 5,758,257, and co-pending application entitled "Broadcast 

26 & System for reduced memory terminals broadly address the use of cable systems as an 

27 interactive medium (in a bi-directional network architecture) for purposes of delivering 

28 targeted advertising targeted advertising and other information to the consumer based on 

29 user profiles". 
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1 In this system customer behavioral data is collected at the digital set top and the 

2 upstream channel enables these profiles to be processed at the lead end server. These 

3 detailed profiles may then be subsequently transmitted down and stored at the level of the 

4 individual set top. The cable environment is a two way interactive medium. The bandwidth 

5 allocation is inherently asymmetric. Separate channels can push parallel adverts, which are 

6 selected at the set-top-box according to a buyer's profile. Each channel can have associated 

7 meta-data to allow matching at the set-top-box. As an alternative variation, full motion 

8 advertisements may be down loaded in the form of applets to the digital set top box and 

9 displayed to the buyer in similar fashion as described above. Or full-size commercials or 

1 0 infomercials could even be downloaded and inserted in place of existing commercials on the 

1 1 video stream. Digital tags used for queuing for ad insertion technology enable this 

12 capability. The preferred commercial implementation of the system -is used within the 

1 3 context iamworthit (the buyer infomediary service in which the viewer receives value for 

14 advertising received). This method is preferred (in as much as in the following altemative, 

15 the cable operator does not need to be in the loop). With that said, in an alternative 

16 embodiment, however, requiring the cooperation of the cable operator various commercials 

1 7 could be broadcast in parallel during commercial breaks. The user profile at the set-top is 

1 8 deployed to select the most appropriate commercial accordingly. 

1 9 User profiles regarding viewing behavior- can be collected with relatively minor up- 

20 stream transmission, e.g., to infer whether a buyer is viewing a program the set-top may 

21 transmit the viewers current viewing selection, e.g., two minutes after the beginning of each 

22 half hour and two minutes before the end of the half hour (and possibly at additional 

23 intervals during the viewing segment as well). Li the point-to-point access and delivery of 

24 personal information as well as the passive monitoring of viewing behavior (for profile 

25 generation at the head-end and subsequent user profile delivery for the set-top) because of 

26 strict buyer privacy regulations in the cable/satellite industries the use of the pseudonym 

27 proxy server architecture (as described in the parent case and integrated into the above 

28 referenced case) is extremely important. 

29 Once interactive television is enabled by access to very large amounts of bandwidth, 

30 it will be very feasible from a bandwidth utilization standpoint to transmit more interactive 

3 1 content. Predictive caching is still extremely advantageous in as much as advertising (unlike 
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1 interactive video real-time on demand video content) tends to be controlled by targeting 

2 rules of the advertiser rather than the user who receives value in exchange. Of course, radio 

3 or music content may also be delivered in conjunction with preloaded audio commercials. 

4 And any of the above content is deliverable over the same networks to other appliances such 

5 as the P.C. 

6 13.1 .7.3 _Optical-Based System Extension 

7 lamworthit in a fiiture version of the system could incorporate a novel optically 

8 based medium for delivery of the advertising. The protocol would enable the delivery of 

9 user targeted advertising in a non-electronic environment directly to the user from a static 

10 source in visible contact of the user. The system incorporates the following aspects: The 

1 1 user wears glasses or contact lenses which contain a Polaroid film in which the optical 

12 medium is polarized for only certain very narrow and specific wavelengths. 

1 3 Advertisements (or other messages) may be presented from signboards which display from 

14 the same surface ads appropriate for every different user profile segment for which a unique 

15 message is appropriate. The Polaroid film for each user is unique to the user segment to 

16 which they belong. Each user segment's optical film filters out all of the particular 

1 7 wavelengths of all other messages except that which is appropriate to the user segment to 

18 which that user belongs. Alternatively, the current application may also be relevant to 

1 9 virtual tags as users may provide instead optical messages specifically targeted by a user to 

20 other users characterized by their profile features which establishes the entire criteria for the 

2 1 user segment they fall into for which an appropriate message may be targeted. 

22 13.2. Jnteractive Data Mining Applications 

23 In this section we describe interactive data mining applications, which involve 

24 dynamic two- or multi-way communication between agents. For example, within the 

25 context of a vendor-consumer interaction, the key difference is that information flow is 

26 not one-directional. An important example is time-of-purchase, in which the consumer's 

27 agent initiates a request for a response (with a counter bid) from a number of vendors. 

28 The vendors can access profile information about that consumer, and then make 

29 personalized responses. In general, this bid-response processes can iterate, with 

30 vendors/consumers exchanging information over multiple rounds. The exchange of 
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1 information may occur within SDI in initial stages, with the system acting as a trusted 

2 intermediary until the agents are ready for an introduction. 

3 We describe time-of-purchase competition, and then move on to general match- 

4 making applications, which allow interested parties to exchange information by mutual 

5 consent (as indicated in SDI rules), with initial information exchange autonomous. There 

6 are a number of interesting match-making applications, for example within a system for 

7 sensitive negotiation, introductions. The system of SDI can play the role of a trusted 

8 intermediary, so that only suitable introductions are made. A vendor can place a request 

9 for a certain type of meeting without its competitors knowing that it has made such a 

10 request. Finally, we describe a "real-time experts market", in which experts can respond 

1 1 for payment to questions placed by other agents. The system of SDI allows a useful 

12 matching of agents and experts, and also allows data mining to check on the feedback a 

1 3 particular expert has received from previous clients. We also suggest an application of 

14 interactive SDI-based data-mining to resale markets, and to a decentralized transportation 

1 5 management system. 

16 13.2.1 _Time of Purchase Competition 

17 One application of the system of Secure Data Interchange is in 'time of purchase" 

18 competition, where by a networked system of vendors can subscribe and receive the 

19 opportunity to place counteroffers to users that are about to make a purchase. This 

20 application is enabled within SDI because the user agent can remain anonymous while 

21 receiving counteroffers, but still use the system of SDI to provide profile information that 

22 can allow vendors to make attractive personalized offers. The client-side SDI proxy notifies 

23 a central SDI "time of purchase" server, which can: 

24 Determine appropriate vendors to prompt with an opportunity to make a counteroffer. 

25 Create a one-time anonymous identifier for the user, linked to an appropriate set of 

26 profile information, and allow vendors to execute queries under that profile. 

27 Collect counteroffers, and pass them to the user's client machine. 

28 

29 We also describe how to generate coalitions dynamically, based on the privileged 

30 position of the time-of-purchase- server in the marketplace. The time-of-purchase server can 
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1 transparently bundle purchases from disparate end-users, and negotiate quantity discounts 

2 with vendors. Buyer Coalition formation can significantly improve negotiating leverage as 

3 the collective buying power of numerous individuals using the time-of-purchase competition 

4 feature, and be made completely transparent to users. 

5 Time-of-purchase allows a user to elicit dynamic market competition between 

6 vendors. For example, when a user browses a book at Amazon.com if she/he chooses to 

7 activate the time-of-purchase competition feature from the browser, a notification will be 

8 sent-out in real-time to all competing book stores which also offer that product section. The 

9 notification contains the product code and price quoted to that user at Amazon. The 

1 0 electronic agent at the vendor's site has an opportunity to counter Amazon's offer to the user 

1 1 (typically on the basis of price, however, other parameters may be used as well). The user 

12 may then select the offer which is most competitive or attractive, including the original 

13 offer. 

14 Integration into a standard shop-bot interface e.g. with comparative features of the 

1 5 products associated with the various offers across a variety of product criteria, or at the least 

1 6 price can be used to provide the user within simple recommendations. 

1 7 Another extension is to propose a special interest-bearing bank account which we set-up for 

18 the user which is tied into a wallet or debit/credit card for off-line transactions. We can 

1 9 allow a user agent to bundle its own purchases over time, and use the system of SDI to 

20 guarantee fixture payment to on-line vendors in return to a good current offer. This is novel, 

21 because it is like participating in a "discount scheme" without purchasing the right to fixture 

22 discounts up front. A user can still invest money that is earmarked for fixture purchases with 

23 a vendor. 

24 13.2.1.2 Description 

25 Figure 17 illustrates the overall architecture of this on-line B2C e-commerce 

26 application of the methods of SDI. The agent represents a user with an SDI-enabled client 

27 machine, the vendor a server computer, also SDI-enabled. Agents interact with vendors both 

28 direcrty and via the central SDI server, and other components. We illustrate the time-of- 

29 purchase server, which receives requests from user's client machines as purchases are about 

30 to be made, and forwards those requests via the SDI central data warehouse to vendors. 
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1 Client-side proxy agents monitor the interaction between a user agent a vendor, and can be 

2 configured to automatically notify other vendors when a purchase is about to take place. The 

3 key problem that we address to implement a system for time-of-purchase competition is 

4 how to identify the type of purchase that a user is about to make, automatically. This makes 

5 the operation of time-of-purchase seamless to a user, the system simply requires that the 

6 user waits for a period of time while competitive bids are collected from other vendors. 

7 We propose two variations: 

8 a) The vendor with which the user is about to make a purchase subscribes to SDI 

9 and provides information to the client-side proxy about the user's interaction. 

1 0 b) The vendor is un- cooperative, and the client-side SDI proxy needs to use other 

1 1 techniques to classify the type of product or service that a user is requesting from 

12 a vendor. 
13 

14 The central SDI data warehouse maintains a searchable index of vendors that 



1 5 provide certain products and services, and sending buyer-profile and purchase information 

16 to appropriate vendors just before a purchase is made. Vendors can register with SDI to 

1 7 receive time-of-purchase competition opportunities, and can also register to allow time-of- 

1 8 purchase competition with purchases on their web pages (case a, above). Of course, it is 

19 unlikely that a vendor would do this without incentive, perhaps one incentive could be a ^ 

20 discounted price for registering to receive opportunities for time-of-purchase competition. 



2 1 In fact, this problem of client-side identification of transactions is a key problem that 

22 must be addressed in a description of client-side user profiling and the submission of 

23 information to SDI. The system of SDI requires a method to know what the user is doing. 

24 Click streams, typed query information, provided profile information etc. 

25 A vendor that registers to receive time-of-purchase competition opportunities agrees 

26 on a standard classification system for products and services, and to state what types of 

27 products and services it wishes to enable for time-of-purchase competition. The 

28 classification system encodes the product or service that a user requests, at an appropriate 

29 level of detail to allow other vendors to make reasonable counteroffers. 
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1 The iamworthit central server maintains a database of vendor interest sets, so that it 

2 can determine from a classification code which vendors will be interested to provide 

3 counteroffers. 

4 For example, if the product is "flights to the UK" then the code might encode the 

5 dates that the user wants to travel, and his/her preferred departure and arrival airports. 

6 Take case (a) , where we assume that a vendor is cooperative and provides the SDI proxy 

7 agent that implements time-of-purchase for the user with a final product/service code and 

8 price. The system works as follows: 

9 1 . User enters into a dialogue with vendor. 

10 2. Vendor makes "final offer" to a user, and the user is about to make a purchase. 

1 1 The vendor has also informed the user of the product/service classification code 

1 2 that encodes relevant information about the type of product the user wants to 

13 purchase. 

14 3. User clicks on 'time of purchase competition option' on its local SDI-enabled 

1 5 client. 

1 6 4. Client sends message to the SDI time-of-purchase competition server with (User 

1 7 profile information/identifier, one-time time-of-purchase ID, product/service 

1 8 classification code) 

19 5. Time-of-purchase competition server looks up the product code, and sends the 

20 user profile identifiers and a time-of-purchase ID to relevant vendors. 

21 6. Vendors can construct competitive offers based on profile information accessed in 

22 the central SDI data warehouse, and information about the existing offer. 

23 7. Vendors send the counteroffers to the time-of-purchase server, which forwards 

24 the offers to the user's client-side SDI proxy. 

25 8. The user is presented with a set of altematives, and can make a final purchase 

26 decision. 

27 9. The final purchase is completed with the appropriate vendor. 
28 

29 We allow other vendors to access profile information about a user based on the 

30 profile information that the user provides to time-of-purchase, i.e. based on the profile which 

3 1 it wishes to use for the purposes of having appropriate counteroffers constructed. At this 
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1 stage the client-side SDI proxy agent might also send additional profile information to be 

2 stored within the SDI data warehouse. 

3 It is useful for vendors to access profile information about a user (anonymously or 

4 pseudonymously, as defined by the user's proxy agent) because products and services can 

5 be configurable goods or services, and a vendor can compete on more than price alone, but 

6 also in other dimensions. 

7 The one-time time-of-purchase ID is constructed client-side in step (4) to act as a 

8 temporary identifier for the purposes of soliciting competitive responses fi-om vendors. 

9 Vendors can be prevented fi-om making direct offers to users, all counteroffers must be 

1 0 forwarded though the time-of-purchase server. 

1 1 Figure 1 8 shows the offer process in time-of-purchase competition, with an offer 

12 from a vendor that a user interacts with via an SDI-enabled client triggering a set of new 

13 requests for counteroffers from other vendors. The 'offer' message from Vendor 1 includes 

14 a code about what type of product or service the user is requesting, and is passed to the other 

15 vendors. The 'request counteroffer' from the client to the iamworthit server contains 

1 6 information from the user to enable the other vendors to make personalized responses, based 

17 on profile information stored in the central SDI data warehouse. After the 'request for 

1 8 offers' are made, the vendors compute responses and (optionally) access profile information. 

19 Finally, vendors make responses which are collected by the time-of-purchase competition 

20 server and forwarded to the user client. 

21 We can also allow vendors to pop up competitive offers to other offers the user 

22 sees on another competitor's site or ad banner in real time, even if the user is not about to 

23 purchase the product. For example, if a user is shown "get this CD for $15, then a 

24 competing offer of no, get the CD for $14 can pop-up '\ A simple extension simply has 

25 the user also receiving a pop-up banner with a competing price if they are viewing a 

26 competitors offers in the virtual store of that competitor. We might also report to a vendor 

27 if, when, and to what degree a customer is becoming disloyal to a particular vendor and 

28 taking alternate offers. 
29 
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1 13.2.1.3 Applications 

2 There are numerous example commercial applications in which the time of 

3 purchase competition features can be utilized to provide significant benefit to the user. 

4 Some the less obvious commercial domains include: 

5 1). Travel Packages and Flight and Hotel Rates - Features, amenities, class, activities, 

6 entertainment, excursions, etc. 

7 2). Financial Services (e. g. , Loans and Mortgages) - Terms, amortization, interest 

8 rates, service fees, etc. 

9 3). Automobiles - Luxury and safety features, warrantees, auto club membership, 

1 0 terms of purchase, etc. 

1 1 4). B2B Commerce - Numerous commercial applications including standard Web- 

12 based environments for B2B e-commerce including buyer-side and seller-side e- 

13 commerce applications, vertical B2B portals and trading floors. 

14 5). Job Positions - Employers posting job positions may be notified by the service of 

1 5 competing job offers which employment candidates are browsing ( and ultimately 

16 accept if this information is indicated by the candidate). Resumes and, if desired, 

17 other profile information is provided to all competitors. Depending upon the profile 

18 of the candidate and/or competitive employment opportunities which a particular 

19 candidate is observing (or has recently observed), employers may wish to customize 

20 offers dynamically on an individual basis. 

21 13.2.1,4 Integration into a Shopbot Interface 

22 We also suggest the integration of time-of-purchase competition into a standard 

23 shop-bot interface e.g. with comparative features of the products associated with the 

24 various offers across a variety of product criteria, or at the least price can be used to 

25 provide the user within simple recommendations. With this, even without a time-of- 

26 purchase offer the user can at least compare its offer with fixed-price deals in the wider 

27 market place. We might also provide a user with historical information about previous 

28 (low) price offers, within a Yahoo-like portal for e-commerce; to provide a user within 

29 information about a reasonable price for each individual purchasable; i.e. the very lowest 

30 price that each given item had been offered to a customer previously using time of 
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1 purchase competition. This site could also act as a stand alone proxy server (like 

2 anonymizer) which inserts this information by overlaying it on Web pages as the user 

3 browses the web. 

4 The time of purchase competition feature is designed to be accessible to a user 

5 within the context of or most any information access mode relating to browsing on the 

6 Internet e.g. Web or portal browsing, receiving email or "push" content, submitting 

7 queries (e.g. specific names, categories and/or desired features (or combinations of the 

8 above) of products which the user identified as being or present interest. 

9 During any of the above information access modes when a buyer specifies time-of- 

10 purchase competition at her SDI client proxy, SDI can automatically provide competitors 

1 1 with information about a buyer's product or service requirements, and a buyer's profile, as 

1 2 well as on particular vendor specific offers the buyer is observing or contemplating before a 

13 buyer makes a purchase. This can facilitate competition between vendors, and can lead to 

14 better prices and offers for buyers. The system of time-of-purchase competition can also 

15 help to reduce the costs of entry into a market, because name-recognition becomes less 

16 important. New vendors can simply register with time-of-purchase referral system, and 

1 7 cherry pick a small set of purchases. 

18 This is a next-generation e-commerce service. Current shop-bots, for example 

19 "Junglee" at Amazon.com and www.shoptheweb.amazon.com provide a static comparison 

20 shopping service. A buyer can specify a product, and receive price information about the 

2 1 product fi-om different suppliers. There is no dynamic competition between vendors on price 

22 or features. The buyer driven service for flights offered by www.priceline.com is more 

23 dynamic, in that a seller is found to match the price that a buyer bids, but does not 

24 necessarily promote competition between sellers for a user's purchase. In fact the sellers can 

25 make excess profits firom the pricing errors made by buyers, because once a buyer states 

26 his/her reservation price, that is the price he/she must pay. Surplus goes to the market 

27 operator, e.g. priceline, but not to the user. The system is also different to our proposed 

28 system in that: 

29 a) Time-of-purchase competition is disintermediated and decentralized, 

30 implemented dynamically over a virtual network of competing vendors. 
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1 b) Time-of-purchase also allows a vendor to access anonymous profile information 

2 about a buyer, to enable a careful tailoring of an offer to the preferences of a user. 
3 

4 We can use profile information, and historical transaction information for similar 



5 transactions, together with the customer price/promotion algorithm disclosed in co-pending 

6 patent "System for the Automatic Determination of Customized Prices and Promotions" to 

7 negotiate on a deal with a vendor that will optimize the value to the buyer. Profiling of 

8 vendors, and buyer transactions, can allow buyers to avoid making bids that are too high and 

9 losing value (airlines in priceline.com can profit fi-om inaccurate buyer bids). 



10 Time-of-purchase enables vendors with competing products or services to receive 

1 1 automatic notification when a buyer is about to purchase a relevant product or service. A 

12 vendor can also receive information on the profile of a buyer, and the offers made by other 

1 3 vendors; and submit counter-offers to a buyer via the buyer's SDI-enabled client. The buyer 

1 4 can then be presented with a final set of offers, before making a purchase decision. 

1 5 A buyer can also configure its profile management rules within time-of-purchase to 



16 provide profile information relating to the buyer's sensitivity to discount offers, customer 

1 7 loyalty with other vendors, value responsiveness (bargain driven), responsiveness to high 

18 quantity discounts (for only those categories which the buyer makes fi-equent or large 

1 9 purchases), etc. This information can be certified by the buyer's client-side SDI proxy, as a 

20 fair representation of the purchasing habits of a buyer, and can be aggregated across product 

2 1 types to protect a buyer's privacy. 

22 The SDI time-of-purchase server can identify vendors with similar products or 

23 services, either using a static- index which maintains vendors in particular product domains, 

24 or through dynamic profile matches between the target object profile of the web site that the 

25 buyer is currentiy browsing and target object profiles of the web sites of other SDI-enabled 

26 vendors. Alternatively, perhaps classification and clustering techniques can be deployed to 

27 identify similarity between vendors at the level of target objects, i.e. the products that a 

28 vendor offers; as indicated by virtual tags provided by a vendor that profile its products and 

29 services. 

30 The time-of-purchase competition system may also draw in static "listed" offers on a 

31 vendor's web site, to prevent a vendor over-charging a user. In addition, SDI might track 
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1 purchases and via clustering techniques request prices on similar or competing products to 

2 the product that a user is about to purchase. These products and/or services may also be 

3 released to a user. When presenting a choice of products and/or purchases to a user we can 

4 allow many features to be summarized, for example features which relate to the location of a 

5 vendor, terms of shipment and insurance, and user ratings. 

6 Vendors are notified, and provided with the ability to access the profile of the buyer 

7 (as the buyer deems appropriate), either with client-level processing or through the release 

8 of an anonymous profile to the vendor. Vendors typically will wish to construct offers 

9 through a rule-based engine, data-mining techniques, or automatic collaborative filtering 

10 techniques, as disclosed in co-pending patent application "System for Automatic 

1 1 Determination of Customized Prices and Promotions" and U.S. Patent #5,754,939, 

12 "System for Generation of User profiles for a System for Customized Electronic 

13 Identification of Desirable Objects" as such techniques may be deployed by the vendor 

1 4 directly or via the Secure Data Interchange representing the interests of the vendors. 
15 

1 6 Choosing an Offer to Make 

17 User profile information may include a temporal profile of the buyer's present 

18 activities, including search terms, recent page navigations, what pages is the buyer 

1 9 observing presently (and the profile of this page) or even his/her present physical location as 

20 well as the general user profile. Any portion of the above particularly the latter two may of 

2 1 course be withheld fi-om the vendor). Or the buyer may be more generous in providing this 

22 information about the various static or dynamic features. 

23 Vendors can target buyers on the basis of their preferences and interests, and also 

24 within the temporal context of when they are most likely to be receptive to offers (thus 

25 providing also a benefit/service to the buyer as well as enabling the competing vendors to 

26 increase the price point at which their competition begins, knowing that the buyer is in an 

27 optimally receptive condition to accept offers for that item). For example, a user might 

28 release to a vendor the current context of a user's pxirchase, such as the click stream over the 

29 past 5 minutes. 

30 In the preferred implementation, vendors are also provided with a (client or web- 

31 based) rules interface which enables the vendors to input pre-stated rules with which the 
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1 system may solicit and respond to competitive offers automatically. In this way data mining 

2 may be performed in order for the vendor to determine what a user (or all users) by attribute, 

3 tend to best respond to by product, product feature, features or services of the vendor, price, 

4 etc. If pre-stated rules are used to automatically respond to a notification with a competitive 

5 offer, the nature and degree of discount is typically determined in accordance with the 

6 nature and degree of the original or previous offer and/or the user profile as disclosed by the 

7 client-level proxy/server to that vendor. In lieu of manually entered rules, co-pending patent 

8 application entitled "System for the Automatic Determination of Customized Prices and 

9 Promotions" another similar algorithmic methodology may be used as an aid by the vendor 

10 in order to automatically determine a competitive offer (or subsequent responses thereto) as 

1 1 well as an aid to the vendor in selecting optimal rules. 

12 These techniques can also be used such that predictive metrics as to selection, price 

13 and promotional type, may be optimally determined in relation to the individual buyer or 

14 specific relevant user profile attributes, for example, in accordance with a data analysis 

1 5 expert of the vendor (or representing the vendor via SDI) analyzing randomized versions of 

1 6 user profiles and randomized aggregate statistics. These metrics may be linked with actual 

17 behavioral statistics of the buyers on the vendors' web site, hi order to further drive 

18 competition between vendors, the time-of-purchase system can provide each competitor 

19 details of the final transaction which the buyer chose to accept. Accordingly, in an attempt 

20 to better improve their competitive advantage in the competitive bidding process a vendor 

2 1 may also wish to analyze a user's purchases and adjust its future offers to similar users. 
22 

23 Choosing a Profile to Release 

24 From the buyer's perspective, there is an elaborate methodology for the automatic 

25 determination of the particular buyer information which, if released, will elicit the most 

26 optimal offers firom vendors which can be determined by utilizing that same type of pricing 

27 model which the vendor is likely to use (for example that same method deployed in co- 

28 pending patent entitied "System for the Automatic Determination of Customized Prices and 

29 Promotions" an instead be tailored to determine which metrics in the user's profile decrease 

30 the overall price point and/or increase overall value over an "average" user (with no profile 

3 1 disclosure). 
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1 It is even conceivable that vendors could (upon user permission) be allowed to 

2 directly identify plus enter- into a live discussion with the user during the time-of- 

3 purchase competition process. A variation of the system was even is further disclosed in 

4 the above co-pending application which was intended (according to the above referenced 

5 co-pending specification) as an electronic assistant to tele-marketers and other sales 

6 persons to determine offers and counter-offers which are automatically generated in 

7 response to (for example) rejections of the previous offer as well as counter offers by the 

8 buyer. This dynamic system was originally designed for salespersons to optimize the 

9 expected profit from each customer (in view of the general user profile and the offer 

10 buyer responses up to that point in the negotiation). As such, this technique could be 

1 1 readily extended to the current application in which the previous offers up to that point 

12 may instead originate from other vendors (instead of a single one), thus the system 

1 3 responses may be affected by the user profile as well as the offer response pairs up to that 

14 point in the negotiation process. 
15 

16 It is likely that vendors will not compete on price alone, but rather through added- 

1 7 value services such as offering loyalty bonuses, cross-sells, and two-for-one offer and added 

1 8 features as well as service advantages such as fast delivery, guaranteed service/maintenance, 

19 warrantees etc. Vendors will choose this mode of selling to prevent simple price- 

20 comparison at the client. Conversely, in some instances vendors may attempt to eliminate 

21 the features in order to create the perception of a better deal through marginal price 

22 reductions, then possibly add these features as counter offers to other vendors in which the 

23 same price may be maintained. 

24 Accordingly the above referenced algorithm as provided by the customized prices 

25 and promotions scheme, may offer valuable competitive insights to the vendor in being able 

26 to assemble more appealing cross-sells/up-sells and more complex offers (including 

27 multiple items which are adjusted by the system to be extremely desirable to the buyer) 

28 more effectively than the competition. Therefore the client will receive offers from multiple 

29 vendors, and after initial filtering of the large collection of offers, present a choice set to the 

30 buyer. 
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1 SDI can also present a buyer with ratings or annotations for items across multiple 

2 competing products, for example, within the context of buyers whose attributes (which may 

3 be important pricing features) are similar to that of the buyer. SDI might also monitor 

4 previous offers made by vendors, so that if a better offer was made in the past a buyer can 

5 request the lower price, and try to bargain with the vendor. Typically the resulting purchase 

6 recommendations are presented as suggestions on the user interface to help the user's 

7 assessment of valuing the offer as a "good deal" as well as to -accurately represent his/her 

8 own preferences. Some users may, however, use this feature as part of a fully automated 

9 (agent mediated) buying process which is performed in asynchronous fashion (as described 

10 below, this typically is only necessary if the time-of-purchase system is deployed in order to 

1 1 create buyer coalitions prior to negotiating with the vendors. Of course the time of purchase 

1 2 competition enabled buyer will distribute the offers in order to elicit vendor competition. 

13 SDI can also present a buyer with previous time of purchase vendor competition 

14 negotiations e.g. offers made in the past by vendors for similar products as those provided 

1 5 by that prospective advertiser (even from the same vendor) which are at least as competitive 

16 as offers made to that user or "similar" users. Because of the competitive nature of this 

17 environment, vendors will wish to leverage all of this information and using their own 

1 8 pricing algorithms and data mining tools, crafl optimal offers through the pseudonymous 

1 9 buyer database. 

20 If the buyer so desires, the client-level proxy can also automatically notify these 

21 vendors iC'when a particular offer is about to be accepted by the buyer. For example, a time 

22 delay response in the client-level proxy actually processing the order requests could allow 

23 vendors a final opportunity to present another competitive offer to the buyer. In another less 

24 optimal variation, vendors are notified only upon the buyer agreeing to accept an initial offer 

25 received. A secure function within the buyers client residing within the Secure Sockets 

26 Layer (SSL) is able to authenticate to the vendor's receiving the notification that the offer is 

27 true and untampered by the buyer through the transmission of a secure encrypted message. 

28 As an additional service to buyers the SDI-level proxy server can perform analysis on the 

29 offers that a buyer receives, through comparison with offers that have been received by 

30 other buyers with the best offer that has been received by any buyer for the same product, 

3 1 and with the typical offer received by a buyer with a similar profile to the buyer. This can be 
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1 useful to a buyer because it will allow the buyer to reject all offers if they are non- 

2 competitive. The SDI-level proxy could also automatically identify for buyers the profile 

3 attributes that promote good offers, and the profile attributes that promote bad offers, as an 

4 informational service to enable buyers to gain better offers in the future, either through 

5 revealing certain information or changing behavior to attain favorable profiles. 

6 If iamworthit detects that discrepancies in the pricing for a given vendor's item 

7 occurs in correlation with certain identifiable user profile information- (not arbitrarily), it 

8 will in the foture initially disclose that data of any other which is determined from past 

9 buyer interactions to be advantageous for the buyer. Should the vendor exhibit price or offer 

10 discrimination (i.e. by having provided more favorable items to other previous buyers, the 

1 1 buyer may demand the lowest price. If the vendor ignores the request and the user has not 

12 received (or does not wish to accept) another vendor's offer for a lower price and the 

13 iamworthit infomediary service may apply pressure upon the vendor such as creating a 

14 buyer coalition and/or making a believable threat (as described below) which has the ability 

1 5 to deny future business to that vendor. If the vendor is able to present an exceptionally 

1 6 attractive offer the buyer may instead wish to stipulate that the offer is valid only if the time 

17 of purchase competition feature is not used by the user, iamworthit' s statistics based price 

18 prediction scheme can then predict if this decision would serve the user's best interests or 

1 9 not based upon the user's purchasing objectives. 

20 Furthermore, we can allow vendors to offer payment to a client in return for 

21 displaying an offer to the buyer, and vendors can also bid for space on the buyer's -web 

22 portal which is often represented as a profile associated with a pseudonym in conjunction 

23 with a description of the ad space. The purchasing decisions of the buyer may be performed 

24 by an electronic representative of the buyer's wishes (as "buyer agenf ) implementing the 

25 techniques of pricing/promotion selection algorithms completely autonomously on behalf of 

26 the buyer. However, the best offer can only be presented to a buyer to the extent that the SDI 

27 client level software understands a buyer's model of 'Value", and can make appropriate 

28 tradeoffs between product features and price (as implicitly inferred by the system through 

29 the above suggested techniques or explicitly stated by the buyer in advance). Nonetheless, 

30 this is a hard problem, and we expect that the buyer will often need to make a final product 
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1 choice decision which could be a default in which the system would defer judgment to the 

2 buyer if it's statistical confidence as to the buyer wishes below a certain threshold. 

3 The collaborative filtering techniques described in pending patent "System for 

4 Automatic Determination of Customized Prices and Promotions", can allow a buyer's 

5 client-level proxy server, termed the buyer agent in this section, to automatically analyze 

6 offers. The system can also be used to send initial offers to vendors, on the basis of historical 

7 information about the transactions that have been performed between other buyers (which 

8 include the benefit of his/her complete user profile data) and the vendor. Offers can (of 

9 course) be sent to a vendor and its competitors. Finally, after offers that are received firom 

10 vendors are pre-screened, they can be automatically ranked for value — ^using a combined 

1 1 quality and price metric (again judged within a collaborative filtering fi-amework). Buyer 

12 feedback e.g. average ratings and annotations fi-om previous buyers may form an additional 

13 criteria. The goal is to leverage the database of other offers that have been accepted by 

14 buyers in the past, and form a model of vendors, to determine whether or not a buyer has 

1 5 received good offers (i.e. we can exchange information witiiin the system of Secure Data 

16 Interchange, and making more information available increases the efficiency of the market). 

1 7 Offers can be filtered and presented to a buyer in rank order. 

18 13.2,1 .5 _Time-of-Purchase with Non-cooperative vendors 

19 We suggest a simple technique to allow a client-side SDI proxy to automatically 

20 detect that a purchase is about to be authorized, and the details of the purchase. The model is 

21 that SDI, or a third-party SDI client, provides a banking service for a user. The advantage of 

22 such a service is that in making a purchase, we can require that the vendor provides 

23 information to the bank about the purchase that is about to be made, as a condition for 

24 validating payment. The system works as follows: 



25 1 . User interacts with vendor, and decides to make a purchase. 

26 2. User provides payment method, for example an SDI bank account number. 

27 3. The SDI bank account server demands information about the product which is 

28 about to be purchased before authorizing payment for the service. 

29 4. The vendor provides the SDI bank with information about the purchase. 
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1 5. The SDI time-of-purchase system can now step into the transaction, and 

2 solicit competitive offers from other vendors. 

3 6. The user is presented with the opportunity to select an alternative offer. 

4 7. The SDI proxy-agent reports the user's final purchase decision to the 

5 appropriate vendor, and denies purchase to the initial vendor if the user 

6 accepts an alternative offer. 

7 8. The final transaction is executed. 
8 

9 13.2.1.6 ^Automatic Buyer Coalition Generation 

10 The time of purchase competition system can also be used to allow the automatic 

11 formation of user coalitions. Coalitions can be generated dynamically based on the 

12 privileged position of the time-of-purchase server in the marketplace. The time-of-purchase 

1 3 server can transparently bundle purchases from disparate end-users, and negotiate quantity 

14 discounts with vendors. Buyer coalition formation can significantly improve negotiating 

1 5 leverage as the collective buying power of numerous individuals using the time-of-purchase 

16 competition feature, and be made completely transparent to users. The ability to offer a 

1 7 single vendor a number of sales allows significant negotiation leverage, and can be used to 

1 8 get special discounts. 

19 Although the coalition formation problem is very difficult in general, because 

20 individuals may not have the same goals and the computation of an optimal outcome with 

21 self-interested agents is hard (for example, how should the profits from a coalition be 

22 divided, how can we assess the value of each agent for tiie coalition, etc.) 

23 The time-of-purchase server has information about the current and pending purchase 



24 requests from users in the system, and can make one-shot coalition formation decisions, 

25 with profits divided equally between agents. Agents provide a one-time bid for a service, as 

26 the offer that they are about to accept from a vendor. This is a guaranteed offer, as the 

27 purchase is about to be made. Therefore, it is a simple matter to aggregate bids from a 

28 number of agents as a bundle bid for a set of items, and negotiate a good price from a single 

29 vendor. This solution to coalition formation is simple, because it is not negotiated over many 

30 steps between agents, but performed one-time with agents tied into an ad-hoc coalition. 
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1 For example, suppose that at any time, in the period of 10 seconds, 100 SDI agents 

2 are about to purchase compact discs, varying in price between $5.99 and $15.99. The time- 

3 of-purchase competition agent has this information, and can perform the following steps: 

4 1 . Collect time-of-purchase requests over a short period of time (e.g. 1 0 seconds). 

5 2. Identify purchases with a common type (e.g. compact discs). 

6 3. Aggregate the sum value of agent's buy prices for the purchases (e.g. sum the 

7 price that each agent is about to pay for a compact disk). 

8 4. Choose a discount on the TOTAL price, e.g. 10%. Make an aggregated buy offer 

9 to appropriate vendors on behalf of all clients (e.g. buy all 100 compact disks for 

1 0 a total 1 0% discount). 

11 5. If successful, divide the final discount over all clients, e.g. subtract 10% from 

12 every CD purchase. Perhaps take a share of the surplus as profit for the brokering 

1 3 role performed. 
14 

1 5 The time-of-competition server can also take a position in the market, identifying 

16 bundled purchases over time, essentially aggregating demand and making offers of a 

1 7 guaranteed stream of purchases over a period of time based on historical information, again 

18 for a discount that can be seamlessly passed onto future purchasers. If the server is 

19 successful in taking a position in the market for some good that its user base seem to be 

20 interested in purchasing, then in addition to returning offers fi*om vendors in the system, the 

2 1 time-of-purchase system can provide good prices to its clients. 

22 Buyers might also form coalitions on the basis of automatically detected synergies 

23 between their requests and predicted similarities between them. This can give buyers more 

24 leverage in negotiation with a vendor. In the automatic evaluation of how "good" an offer is 

25 (how competitively it matches the market demand for that coalition's needs) in iamworthit's 

26 historical user information, it must also utilize information about the effect that size of the 

27 coalition has upon the market's responsiveness. Within the context of the present 

28 framework, the simplest version of the system involves creating the coalition around a 

29 particular item and, however, it also conceivable that it could be formed at the vendor level 

30 in which the coalition members are interested in any item(s) provided by the vendor and 

31 vendor competition is elicited by the coalition across all products which its members 
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1 demonstrate interest in and which are provided by the competitive vendors. Given a 

2 sufficiently large subscriber base, buyer coalitions may be automatically created in real-time 

3 and in ad-hoc fashion (i.e. from the iamworthit buyers who are interested in a particular type 

4 of item at that particular time). 

5 Buyer coalitions typically are able to exert significantly greater pressure upon 

6 vendors the larger they are (this fact applies as well to multiple company b to b buyer 

7 coalitions). As such iamworthit may also notify other members which in accordance with 

8 their user profiles are likely to have an interest in a particular item (or items) in which a 

9 coalition of members have demonstrated interest in order to increase the size of the 

10 coalition. Similarly, the aggregate user profile of all members of the coahtion may be used 

11 in conjunction with collaborative filtering in order to recommend those items which 

12 collectively best match the preferences of the coalition collectively and thus are able to 

13 provide the best deal for the most items possible to that particular coalition. Thus the 

14 coalition model is extended to placing competitive pressure upon vendors across multiple 

15 items, iamworthit must also utilize the above modeling techniques in order to establish 

16 pricing models based on the value of these different items in hght of the total monetary 

17 value which the coalition represents to the vendor collectively. In addition to inferring 

1 8 buyer interest entirely passively, it is possible for buyers to manually edit their profile, e.g. 

19 by modifying or actively selecting categories of purchasables of interest which she/he 

20 would like to be notified of (e.g. via pager) if when a buyer coalition for a purchasable of 

2 1 that type is being established. It is further possible to increase the size of buyer coalitions by 

22 allowing a certain amount of time for buyer's to respond to offers to join that particular 

23 coalition (e.g. 24 hours). Typically a couple of days is all the time that is required to achieve 

24 a substantially maximum buyer response. Also, because some vendors may wish to be 

25 (automatically) informed ifi^when substantially large coalitions approach the vendor, there 

26 may be an additional marginal price advantage by providing an additional period for 

27 vendors to reply. 

28 The buyer may wish to allow the iamworthit time of purchase vendor competition 

29 system to operate in fully automatic mode whereby certain "acceptance parameters" are 

30 provided to enable the buyer agent to act fully or autonomously on behalf of the buyer's 

31 stated (or approved) parameters. This technique is likely to provide a central function 
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1 particularly in most business-to-business iamworthit commercial applications. The 

2 business-to-business commercial domain may exemplify a couple of other novel features 

3 (which are not exclusively limited to business- to-business). For example, because 

4 replenishment of products or supplies suggest much greater repetition and thus 

5 predictability, it is sometimes useful to buyers to also leverage as part of the negotiating 

6 process an advanced commitment of buyer loyalty over an extended period of time, hi the 

7 unlikely event of the buyer changing his/her vendor loyalty after considerable value has 

8 been provided to the buyer, the vendor may control the right to acquire certain assets of the 

9 buyer (e.g. corporate stock) as pre-agreed collateral for the vendor. Also, in the business- 

10 to-business domain iamworthit acts essentially as (or in conjunction with) a buyer-side 

1 1 portal to a web-wide vendor resource, though it could also be integrated as part of a seller 

1 2 side-portal interface tool as well. 

1 3 As an additional service to vendors SDI can provide enhanced profile information, 

14 aggregated from other vendors, to enable vendors to provide better focused offers than can 

1 5 be provided on the basis of the profile information directly associated with the pseudonym 

16 of a buyer. Certain portions of the user profile data that is unavailable for direct collection 

1 7 by the vendor (such as information that is collected on other sites including, in particular, 

1 8 competitive vendor sites) may reveal important information which enables the vendor to 

19 better target that buyer. As such the secure data interchange representing the collective 

20 buyers may aggregate, analyze and sell this data to the vendor so long as the release of such 

21 information does not negatively affect the predicted pricing or value levels for that buyer as 

22 performed by the above type of pricing algorithm. 

23 An interesting variation of this example involves the situation in which multiple 

24 entities represented by SDI users may be negotiating with the same other entity (or 

25 individual). It may be for the same purchasable. Alternatively, it may involve different 

26 purchasables or the represented group may even be a combination of users and sellers who 

27 happen to be presently dealing with the same entity. Accordingly it is important for SDI to 

28 achieve an understanding as to the individual negotiating parameters as well as an 

29 assessment of a market demand model which characterizes the needs and objectives of that 

30 entity with regards to the particular prospective transactions being negotiated which SDI is 

3 1 mediating on behalf of each party which is captured through the main SDI server. As such 
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1 it is often possible to thus attempt to predict the minimal acceptable temis of an offer which 

2 would meet those conditions. The negotiating leverage from all parties is based upon terms 

3 which affect multiple (or perhaps all) of the deals collectively. SDI thus has the power to 

4 significantly strengthen the negotiating leverage based upon a market demand model which 

5 characterizes that entity thus benefiting the entrusted parties on the whole. The statistical 

6 data used for market demand models from the user-centric or vendor-centric SDI is 

7 collected about the other parties which the parties are negotiating with. One usefiil source 

8 for estimating this predicted market demand curve which they represent. For example it is 

9 possible for end-users as a coalition of users to be automatically formed for this purpose. 

1 0 A user-centric SDI is then assigned to the coalition in order to (a) ascertain from user 

1 1 profile information (in addition to subsequent active query or recommended offer feed 

12 back/approval information about terms which the coalition would likely wish to receive 

13 from the vendor (subject to negotiation) (b) ascertain from vendor behavior relating to past 

14 users and coalitions terms which would be reasonable to expect from the vendor in order to 

1 5 anticipate reasonable offers/counter offers to present to the vendor. 

16 The user-centric SDI may even detect from the user profiles the possibility 

1 7 (foUowed-up by a confirmation query to the users) that the users may be willing to commit 

18 in advance for a specified period of time to certain customer performance criteria e.g. in 

19 exchange for not only guaranteed discounts but also an equity stake in the company which 

20 may increase over time and where continued ownership of which is contingent upon its 

2 1 sustained user performance as agreed upon in advance for the specified period of time. 

22 Assuming sufficient willingness, the coalition as directed by the user centric SDI will submit 

23 the recommended offer to the vendor along with its competitors using time of purchase 

24 competition. The coalition may even incorporate a believable threat (upon approval of its 

25 members) (e.g., that it will not deal with the vendor in the fixture if the terms of its request 

26 (such as long-term discount privileges or conversely promise to give the vendor certain 

27 competitive advantages in future user coalition negotiations which may include fiiture SDI 

28 coalitions. 

29 SDFs predictive tool suite can be used to predict the most likely prospects for a 

30 given coalition, i.e., matching users who have explicitly indicated an interest or have 

31 engaged in negotiations or past dealings with a given vendor. As indicated the 
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1 recommended users may be targeted either with the same items or completely different 

2 items, the latter case in which SDI will try to negotiate a lower price based upon the 

3 aggregate sales form the coalition, not the volume of sales for one particular item per se, as 

4 in the first instance. In the present application, however, because negotiating pressure is 

5 being applied by a collection of entities upon (typically) one entity (or possibly alliance of 

6 entities), an SDI (which may typically be spawned fi-om the main SDI service) representing 

7 the coalition is created in ad-hoc fashion. The other entity may accordingly wish to acquire 

8 its own SDI to also represent its commercial interests. Each SDI may represent multiple 

9 parties. No SDI must of course ever represent an entity which is negotiating with another 

1 0 entity which it represents. 

11 Coalitions are typically arranged automatically by SDI based upon observed 

12 synergies in user and seller activities which SDI observes. In fact the predictive capabilities 

13 of SDI could be used to model (1) the anticipated number of cooperating entities which are 

14 predicted to join the coalition and (2) from that information, the predicted terms and price 

1 5 which could be anticipated for the user coalition or (for the seller coalition). The anticipated 

16 price and volume of sales which could be anticipated if the entity were to accept SDI's 

1 7 invitation to participate in the coalition based upon the terms and conditions thereof as 

1 8 predicted to be most advantageous (collectively) according to SDI. 

19 13,2.1 .87.1 Leveraging Control over a Vendor's Suppliers 

20 One of the roles of the iamworthit infomediary service could be extended to helping 

21 users not only identify vendors with whom they are most likely to do business with (vis-a- 

22 vie identifying the most desirable products/services for each user individually as the basis of 

23 the formation of the coalition), but also identifying of the other companies which do 

24 business with the user recommended vendors which companies in particular may present a 

25 potential investment opportunity to the user. Or altematively to determine which suppliers 

26 are potential candidates to do business with a company (or preferably multiple companies) 

27 which sell products which are of interest to the user. This SDI application is one of several 

28 conceivable applications by which the user is able through the intelligence gathering 

29 capability of SDI to identify potential opportunities which could potentially benefit the user 
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1 which are also within control of the vendor wherein commercial pressure may be exerted 

2 upon the vendor via the coalitions. 

3 In this particular application,- assuming that the supplier company is viable, an 

4 additional qualification as an investment opportunity to the user is how early is the 

5 development stage at that time. Additionally, vendors may be selected on the basis of their 

6 ability to provide products/services which match the customer's preferences and currently 

7 do business with suppliers which are prime candidates for investment (i.e., are early stage, 

8 preferably in need of capital investment and importantly are doing business with as many 

9 other vendors as possible which sell products/services of interest to the user. In our 

10 implementation, if the vendor is early stage (i.e., represents a reasonable investment 

1 1 opportunity for the (coalition members), the coalition may guarantee the vendor of certain 

12 customer loyalty commitments which are guaranteed (upon forfeiture if the terms of loyalty 

1 3 are not lived up to), certain shares of stock in the vendor's company. 

14 One criteria for the selection of this vendor includes the particular suppliers which 

1 5 he/she is currently doing business with or would be willing to switch to in exchange for the 

16 coalition's business which is typically a long-term commitment. In conjunction the 

1 7 selection of vendors which the coalition approaches is based upon the willingness of other 

18 competitive vendors to conform to the wishes of the coalition with regards to the vendors' 

1 9 selection of suppliers typically. Several multivendor (supplier) relationships currently exist. 

20 And the objective of iamworthit is to identify suppliers which are well qualified to satisfy 

21 the needs of the vendors which are candidates for their businesses and which similarly 

22 provide significant growth potential, if these vendors switch over to these suppliers. If the 

23 coalition's offer is successful, it will invest in the supplier(s), prior to its public 

24 announcement of having obtained the vendor(s) as a customer(s). If the supplier is in 

25 substantial need of investment (e.g. a private placement), it is even conceivable that the 

26 coalition may be compensated by the supplier in the form of monetary compensation or 

27 preferably fi-ee or discounted product firom the vendor for which they provide their 

28 product/services. This may further assure user loyalty fi-om the coalition and is typically 

29 limited to an initial period needed to entice the coalition members that the investment in the 

30 supplier is worth while in light of the rather high risk in such an early stage company. 
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1 Other more elaborate applications are also conceivable, for example, more general 

2 requests for knowledge and influence over particular executive decisions which are not 

3 highly confidential which may provide benefits to the members of the coalition e.g. in 

4 addition other types of partnering decisions with other vendors also potentially to strategic 

5 product development directions and revisions which provide the coalition optimal personal 

6 satisfaction and value for their purchasing commitments. It is even conceivable that through 

7 the aid of vendor credentials (for identification purposes) user coalitions could bargain with 

8 vendors using "restricted currency" which stipulates its use must be for particular uses, (or 

9 its value for any other users is diminished) (such as vendors in which the coalition has an 

1 0 investment state) . 

1 1 In a variation, these restrictions could "encourage" subsequent transacting parties of 

1 2 the currency (e.g. the employees of the company) to buy fi-om particular vendors which the 

13 coalition support (e.g. in conjunction with or equity stake), perhaps thus encouraging the 

14 employees join the coalition as well. Data mining (performed by SDI) will also indicate 

15 existing vendor relationship opportunities for investment between/within (respectively) 

16 different vendors as well as the flow of currency through sequences of transactions in which 

1 7 these complex vendor synergies exist even indirectly via one (or multiple) removed vendor- 

1 8 vendor and user- vendor relationships. 

19 13.2.1 .87.2 _Coalitions Created For Purposes Of Eliciting Change On The 

20 Part Of Vendors 

21 In addition to applying market pressures, one other example in which entities may be 

22 automatically introduced into coalitions using SDI may involve SDI automatically 

23 identifying certain situations or complaints from users or entities in which there may be 

24 common ground for these parties to collectively apply political or legal pressure upon 

25 another entity from which the problem arises, or in one example to apply legal tactics for 

26 purposes of -reclaiming damages from the infringing party. For example, members of SDI 

27 could be asked to disclose particular instances of these types of legal infractions even if they 

28 are relatively minor (e.g. simply a short fall in acceptable quality of misrepresentations 

29 through misleading advertising etc. may be relatively minor inconveniences and/or a site 

30 may be provided as well for non-SDI members (e.g. www . class. action. com . 
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1 A similar application tailored specifically to the Federal Government could also be 

2 provided (e.g., www.govemment industries.com. In one example, SDFs ability to provide 

3 annotations excluding complaints and ratings pertaining to particular organizations and 

4 individuals is complemented by the current scheme by introducing the ability of users to 

5 apply pressure to the organization or individual as a coalition in order to more effectively 

6 motivate the desired change accordingly. To this end other tactics may be used, for 

7 example, a threat to collectively sponsor negative advertising or editorials. Li fact, the 

8 above technique for presenting a believable threat could be utilized in this case and backed 

9 up by an insurance policy which provides in addition to the guaranties that the threatened 

1 0 action will be carried out, for example, by X date unless a particular condition is met, also 

1 1 provides sufficient funds to follow-through accordingly and in one variation fLxrther instill 

12 the motivation on behalf of the parties by actually insuring the outcome of the litigation 

1 3 (where the threatened (and guaranteed) consequence is sufficiently great that the entity is 

1 4 much rather proved to settle thus reducing exposure significantly. 

1 5 Within the present system SDI provides the fi-amework by which appropriate users 

16 and sellers may be matched together. It also enables a methodology by which the user 

1 7 interests are protected through the use of matching of sellers offers to competitive vendors 

1 8 (using iamworthit). 
19 

20 13.2.1.78 Single-user Time-aggregated Purchases 

21 Another extension is to propose a special interest-bearing bank account which we 

22 set-up for the user which is tied into a wallet or debit/credit card for off-line transactions. 

23 We can allow a user agent to bundle its own purchases over time, and use the system of SDI 

24 to guarantee fiiture payment to on-line vendors in return to a good current offer. This is 

25 novel, because it is like participating in a "discount scheme" without purchasing the right to 

26 future discounts up front. A user can still invest money that is earmarked for future 

27 purchases with a vendor. 

28 We describe a wallet application for this purpose, that allows a user of SDI to 

29 commit currency to vendors for future purchases. The time-of-purchase competition system 

30 can allow vendors to see the pseudonymous purchasing profiles of users (e.g., over the past 
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1 12 or 18 months) which are relevant to their respective commercial venues and 

2 competitively bid for the opportunity to acquire from that user a "pre-commitment" for 

3 similar spending amounts within the same time period going forward (provided that that 

4 vendor offers the same/similar categories from which the user had purchased that amount in 

5 the past from another vendor(s). 

6 The "committed currency" in the user's account is not actually spent and thus 

7 remains interest-bearing for the user, and because the dollars are exclusively and 

8 irreversibly earmarked, the actual debit could even occur substantially after the actual 

9 purchases ultimately occurs with that vendor. Vendors marketing the service may be able to 

10 exclude competitive offers (as is the case with the standard time-of-purchase competition 

1 1 application). 
12 

13 13.2.1.98 Special Vendor Treatment in a Community Dollar Scheme 

14 There is a variation of community dollars in which some of the competitive 

1 5 features of the time of purchase competition system can be utilized by vendors to provide 

1 6 a competitive advantage over other vendors. 

1 7 Each vendor is given exclusive rights to information about offers which users who 



1 8 subscribed through their site or portal are currently considering. All other competitive 

19 vendors are denied access to time-of-purchase competition for that user. The vendor may 

20 request profile data from the user which s/he may wish to optimize the selection/features 

21 of the particular product offering as well as the value of the offer, and use SDI or its own 

22 price engine as before. 



23 If the user has also subscribed to fiiU time-of-purchase competition, he/she may 

24 be willing to give the vendor the right to provide the first counter offer. If the user does 

25 not accept the counter offer, the system can default to the standard multi-vendor 

26 competitive scheme. 

27 Vendors signed up with the community dollars scheme may also be provided with 

28 special privileges for advertising to a user as the user browses the Internet. This can be 

29 used to encourage more vendors to sign into the SDI/community-dollars scheme, to be 

30 exempted from ad replacement technology and receive other preferential treatment. 
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1 The present time-of-purchase competition scheme can also be adapted for the application 

2 to television commercials. In a preferred commercial mode a relationship is created 

3 between iamworthit and one of the providers of commercial insertion technology (at the 

4 head end). All cable providers not utilizing the particular commercial insertion 

5 technology provided by that particular partner provider would be subject to the use of the 

6 commercial replacement technology which iamworthit provides by delivering typically 

7 (but not exclusively) digital set top terminals streaming (HTML based) video 

8 commercials or the same preloaded onto the set top for subsequent display. The system 

9 is able to recognize if/when commercial breaks occur during the course of standard video 

1 0 programming through tags which are typically digitally encoded or (in the case of analog 

1 1 TV) transmitted within the vertical blanking interval. 

12 The system could also allow a vendor to deliver (again by predefined rules) 

13 certain criteria for undercutting, in real time, any offer which the user browses (or even 

14 receives via e-mail). As in the case of time of purchase competition, these dynamic 

1 5 counteroffers can be delivered to the user via either the advert replacement system or a 

1 6 pop-up window/java-script window. 
17 

18 Vendors might even compete to "buy" the rights to exclusively deliver 

19 competitive offers to any offer which the user may happen to view and which is 

20 competitive to another product/service which the vendor provides. The terms of the 

2 1 rights which the vendor actually purchases may include the number of competitive offers 

22 which the vendor can provide in the future, the degree of the conditional "value" which 

23 the vendor would provide through the competing offer, the category(s)/domain(s) which 

24 the vendor purchases the right to compete, the degree of exclusivity/non-exclusivity. A 

25 vendor may also wish to constrain the ability of potential competitors to submit counter 

26 bids. 
27 

28 Vendors in all other product categories can retain the ability to compete for any offer 

29 which the user receives. It is possible that vendors with exclusive rights may also try to lock 

30 a user into future purchases. Again, this ability to lock users into future purchase 

3 1 commitments may be auctioned to competitive vendors. The dedicated currency auction 
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1 web site- (e.g., www.creditauction.com ) is architecturally very similar to the time-of- 

2 purchase competition variation of the service with the exception that it is a market place in 

3 which many users may submit their profiles with request for offers fi-om vendors across any 

4 or all categories relevant to their profile as requested or agreed to by the user. A variation of 

5 this dedicated currency involves a scheme for time shifting into the fiature the transfer of 

6 fiinds fi-om the users account to the vendor's (thus allowing the users money to accrue 

7 interest during that period). Thus dedicated currency whether it proceeds or preceeds actual 

8 purchase events guarantees the vendor sales which can be used plan capital 

9 improvements, attract credit or investment funding while providing benefits such as 

1 0 and/or interest on money spent to consumers. 

11 

1 2 This reverse auctions for time-shifted purchases may also encourage vendors to form 

13 virtual retailer communities, to accept a common currency and offer a fiill range of products 

14 and services to a user. Any offers involving the user dedicating any form of "value" for the 

1 5 user for fiiture purchases of products/services is applicable towards purchases at any of these 

16 vendors in the community. SDI can be used to identify optimal combinations of vendors, to 

17 best satisfy the customer's needs. Unlike prior art multi-vendor loyalty point systems, in 

18 which the selection of vendors is static across all users, this allows the dynamic creation of 

19 loyalty schemes. This is possible because of the consumer preferences which can be made 

20 available via SDI. hi cases where vendors offer some common products it may be possible 

21 to redeem value at either vendor's site, or to restrict a purchase to products at only one of 

22 vendors. From a data analysis perspective a primary criteria for matching vendors is to 

23 identify those which have products predicted to be interesting to the user are metrically close 

24 to each other within user (cluster) space (are predicted to be preferred by many of the same 

25 customers) AND have a minimal number of products which overiap, thus minimizing 

26 collaboration among competitors. 
27 

28 The actual debiting of a user's account can occur substantially after a commitment 

29 to spend money with a vendor, allowing a user to continue to accrue interest. In this 

30 multi-vendor mini market the money can be earmarked for that vendor exclusively at the 

3 1 moment of purchase. 
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1 

2 13.2.1.109 _LEIA Enhanced Time-of-Purchase 

3 One application of LEIA involves the integration of the time of purchase 

4 competition architecture. In particular, purchasables which a user is browsing with an 

5 associated offer price may be either purchasable on-line or off-line. Based upon his/her 

6 present physical location, if the user so desires s/he may identify not only other similar items 

7 but also that subset of these items sold by bricks and mortar vendors which are physically 

8 proximal to the user's current location (thus available for immediate purchase). By 

9 introducing location enhanced information to users about their relative similar proximities to 

1 0 off-line purchasables the time of purchase vendor competition model is further enhanced by 

1 1 placing additional competitive pressure upon those vendors selling similar goods 

1 2 exclusively on-line (which are not immediately available to the user), hi this environment if 

13 an off-line product offer is ultimately accepted by the user, a digital certificate could be 

14 securely conveyed to the user or authentication of his/her identity could be established at 

1 5 time the offer was accepted and upon redemption. 

1 6 The Location Enhanced Information Architecture (LEIA) enables vendors in the 

17 vicinity of where a user is traveling to deliver a targeted ad or particular personalized 

1 8 offer. Or a user may search or navigate directories on the Web or browse a particular 

19 (competitive) item. Regardless of the mode of access, the system filters or identifies 

20 purchasables by their direct physical proximity to the user (or the user's intended travel 

21 path). If the time of purchase competition system uses location proximity of an item as a 

22 parameter for vendors to compete with one another (i. e. providing an additional 

23 speed/convenience factor for on-line items with an off-line sales presence) the particular 

24 vendor's price which is finally agreed upon and accepted by the user can be securely 

25 enforced at the point of sale using a digital coupon which is non-transferable and non- 
26 reusable may be down-loaded to the user's device, printed or simply securely transmitted 

27 to him/her as a unique code redeemable with user identification at the physical point of 

28 sale. These techniques are fully disclosed in co-pending patent application entitled 

29 "System for the automatic Determination of Customized Prices and Promotions". 
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1 13.2.1.110 Extended Example: Medical Insurance Application 

2 Problem statement: 

3 Increasingly, insurance companies are denying claims for medical services. 

4 Hospitalized patients frequently have in-patient days denied, in part or totally, and 

5 associated services and studies may also be denied. Days of partial or total denial are 

6 especially important for non-DRG (Diagnosis Related Group, Non-Medicare) insurance 

7 subscribers. Also in-patient and out-patient testing and services are frequently denied at the 

8 discretion of insurance administrators. These denials persist despite consistent efforts by 

9 hospitals and hospital personnel to properly document the appropriate protocols to alleviate 

10 patients' illnesses. Similarly, out-patient medical care in doctors' offices is not infrequently 

11 denied, and to the extent of prohibiting effective diagnosis and treatment. At times, 

12 hospitals as well as out-patient office personnel do not have the necessary information to 

1 3 know, prior to treatment, which services are eligible for reimbursement, partially because of 

14 the multitude of coverage pattems. The providers must frequently appeal non-payments 

1 5 retrospectively, by letters, further documentation and repeated telephone calls, all of which 

1 6 may or may not be effective, apparently depending on the capriciousness and the judgment 

17 of the particular clerk or medical personnel in the carrier's office. These situations have 

1 8 produced enormous pressures to improve communications by extracting detailed data from 

19 providers pertaining to carriers failing to support appropriate and necessary health care 

20 delivery and documentation of how these insurance issues have caused definitive health 

21 problems. This data will be used to exert pressure on insurance carriers. In view of these 

22 major economic pressures, hospitals and other providers of medical services will definitely 

23 be most cooperative in providing detailed billing and clinical information with appropriate 

24 release consents, or alternatively through deployment and utilization of the proprietary 

25 techniques for privatizing patients' records using a pseudonymous proxy server. This 

26 information will be provided by the billing and medical records departments of the hospital 

27 and also, in the case of hospital employees, from the Human Resources Department of the 

28 hospital for reimbursement for medical services for hospital personnel. The minimal 

29 information should include the billing record for those in-hospital days or the specific 

30 services/tests denied and the discharge summary of that hospitalization. Based on reviews 

31 of this material, fiirther portions of the in-hospital clinical record may be requested. 
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1 (Additionally, the iamworthit service provides for the utilization of the above mentioned 

2 proxy server for collecting and maintaining pseudonymous patient data whereby advertising 

3 revenues from industry advertisers accessing/targeting desired user profiles may be shared 

4 with the hospital and potentially also the patient, thus further insisting the hospital to provide 

5 this needed patient data). 

6 

7 A compounding problem is the lack of information provided prospectively by insurance 

8 companies to hospitals, physicians and other providers. Subscribers and providers have 

9 the right to know, in detail, the number and kinds of services covered, and the depth of 

1 0 the insurance coverage including the length of stay. This information is legally 

1 1 accessible and can be made available not only to the patient, but also to his/her physician. 

12 On exemplary commercial need for the present service by employers who wish to 

1 3 reinsure their employees with quality coverage. 
14 

15 Solution: 

16 In order to protect the consumer, a solution proposed to address a timely and 

1 7 overwhelming need on the part of consumers to establish a control data bank, accessible 

18 to the consumer, which reveals general and specific instances of miscarriages by health 

19 insurance carriers of their fiduciary obligations to provide timely payment for essential 

20 health care services. Based upon data regarding the insurance company's stated policy 

21 and statistical analysis of the ultimately approved or disapproved coverage, performance 

22 criteria may be determined pertaining to the percentage likelihood of the insurance 

23 company covering certain services and length of hospital stays for future services to 

24 patients. In order to provide a robust and comprehensive statistical analysis, it is also 

25 required that a certain core sample of non-coverage denied service be collected in order 

26 to determine a variety of correlation criteria which affect the probability of coverage in 

27 addition to the identity of the carrier, also the type of prescribed medical care for 

28 associated illness wherein coverage for hospital stay or treatment is denied. Other 

29 correlations are possible, e.g., the medical history of the patient, the family history, etc. 

30 Of additional importance, statistics may also be provided which indicate the degree of 

31 adherence (integrity) of an insurer to provide coverage and to provide it with the level of 
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1 depth of coverage which was purported by the insurer according to its standard claims 

2 policy. The iamworthit insurance service is accordingly designed with two primary case 

3 objectives: 

4 1) Provide detailed statistics based on robust historical data regarding realistic 

5 expectations which the patient can anticipate regarding acceptance, denial and quality 

6 on the basis of various types of coverage given the context of the insurance needs and 

7 requirements of the buyer and based upon the specific services and depth of coverage 

8 purported by the insurer and any associated medical information regarding the buyer. 

9 The service could even anticipate, by review of the collective medical statistics the 

10 most likely type of coverage the buyer may need, based on his/her medical record 

1 1 specifically within the context of the associated determined probability of coverage 

12 and quality thereof for each insurer in view of this medical history of the buyer. In 

13 addition, iamworthit may provide a general informational resource where buyers can 

14 access such statistical information by carrier. Data mining tools may enable the buyer 

15 to extrapolate the desired statistical correlations as to his/her type of profile of 

16 medical or specific features of his/her medical condifion or specific type of coverage 

1 7 and thus in light of this robust data better equipping the buyer to determine which 

18 insurance provider and associated policy is most appropriate for his/her specific 

1 9 health care coverage needs; 

20 2) This information may be accessed in real time by the buyer (or for e.g. buyers, 

21 employer) while browsing specific insurers' sites, receiving specific offers by 

22 insurers (typically requiring certain medical information) or browsing an insurance 

23 retail portal. Typically, buyers of the present service will combine their use of the 

24 present browsing-based information with the Time-of-Purchase Vendor Competition 

25 Services (described below). Additionally, a rating feature may also be provided 

26 which enables the buyer to rate (and subsequent buyers to observe the averaged 

27 ratings) the various vendors by various types of criteria relevant to the buyer's 

28 experience in receiving acceptance, quality and depth of coverage (as well as how 

29 well the insurer adhered to promises for coverage as stated in its standard policy for 

30 coverage), of course, this feature could be used if for insurance products on-line for 

3 1 later purchase off-line. 
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1 

2 lam worthies time-of-purchase vendor competition application to medical insurance 

3 (as applies similarly to numerous other e-commerce commercial domains) involves the 

4 following protocol : 

5 The iamworthit enabled consumer provides specific needs or requirements as to 

6 what types of medical insurance products or areas of coverage are desired. These requests 

7 may be submitted either to a portal (or "mall") which connects the buyer to an extensive 

8 resource of medical insurance providers, or, alternatively, these requests may be submitted 

9 to iamworthit which provides its own default portal to these resources (which likely exists 

10 and is marketed as an independent marketplace for insurance purchasers on its own behalf). 

1 1 Upon submitting these buyer requests, iamworthit is able to provide numerous competitive 

12 insurance providers offering similar insurance products which in this application may be 

13 accompanied by certain credentials (such as the buyer's age and many other clinical 

14 parameters). 

15 Additionally, the pseudonymized digital medical records of the buyer (which may 

1 6 also be requested by an insurer, typically in addition or instead of submitting a questionnaire 

17 regarding the buyer's health such as certain pre-existing medical conditions). Typically, 

1 8 patient medical records are a prerequisite to submitting an offer. The insurers may then 

19 provide specific offers for their respective products. Additionally, the buyer may browse 

20 various insurer's sites, providing pseudonymous medical data to the extent (and type) that it 

21 is requested and, specifically, to which providers the buyer desires. As offers firom 

22 insurance providers are collected (in response to requests and/or browsing interactions), the 

23 time of purchase vendor competition is elicited whereby each insurance provider is 

24 automatically notified as to the most valuable offer(s) provided by a competitor(s) and are 

25 given the opportunity to submit counter offers accordingly. It should be noted that the 

26 determination of the value may be in accordance with certain buyer prescribed 

27 specifications such as price or certain expert determined criteria which consider either the 

28 price in combination with completeness and depth of coverage and, if relevant, the level of 

29 satisfaction of the buyer's request criteria. 

30 Additionally, iamworthit provides the ability for buyers to share the information of 

3 1 offers they have received in accordance with the associated medical profile and/or response 
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1 to health related questionnaire information, in order to determine if an offer which is 

2 submitted by an insurer inappropriately discriminates against the current buyer in terms of 

3 price or depth/comprehensiveness of coverage, or where such discrimination occurs in 

4 conjunction with buyer medical data which is prohibited by insurance regulatory guidelines 

5 as a valid criteria for such discrimination. lamworthit's insurer coverage statistics (which 

6 the buyer may typically wish to observe in conjunction with the present time of purchase 

7 vendor competition functionality) are an additional important value determination factor 

8 (which may be factored in as an additional weighting criteria as numerically prescribed by 

9 the service (or by the buyer) and/or accordingly for purposes of setting a threshold by which 

10 insurers become disqualified as candidates for the buyer's business, ki a variation, as is 

11 provided by the current model, buyers may instead first receive the historical offer 

12 information from other "similar" medically profiled buyers in order to submit a bid to that 

13 carrier which offered the most relevant and beneficial offer as well as all of the other 

14 competitive insurers. As is also provided according to the current scheme, the present 

15 iamworthit time of purchase vendor competition facilities may operate fully autonomously 

1 6 on behalf of the buyer (incorporating, if desired, specific request criteria). 

1 7 Thus, optimal offers are provided to the buyer by a "buyer agent". Additionally, the 

18 present service may with some modification be provided to buyers dialing into an 800 

19 number. Typically, in this case, however, (as is also the case in the on-line implementation), 

20 if the buyer does not have access to his/her pseudonymous medical records, he/she would 

21 typically answer a questionnaire for each provider (which would typically consist of an 

22 aggregate questionnaire satisfying the requests of all relevant carriers which could then be 

23 submitted automatically, or an agent could be programmed to automatically complete the 

24 questionnaire as needed. 
25 

26 Commercial Alliances with Regional or National Health Care Organizations - 

27 Because of the tremendous restrictions in providing insurance coverage to 

28 organizations which provide health care services, it will be greatly to their advantage for 

29 patients and physicians to be able to benefit from more fair and competitive insurance 

30 coverage by using time of purchase competition and the associated coverage probability 

3 1 service (providing full disclosure of non-coverage and inequities in delivery of coverage). 
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1 The primary joint marketing entities which will benefit most significantly firom this service 

2 and thus will be the strongest commercial allies, include independent physicians, medical 

3 clinics, large physician groups, pharmacies and perhaps even pharmaceutical companies, 

4 providers of medical supplies, hospitals and home health providers. Of the above entities 

5 listed, physician groups, clinics, and hospitals do a tremendous amount of advertising 

6 directly to consumers (and this is becoming increasingly true via the intemet for physicians 

7 in private practice), particularly through the direct advertising medium of the intemet (e.g., 

8 advertising on their web sites as well as email). These organizations, in light of their direct 

9 marketing exposure to the consumer which they provide, would likely become powerful 

10 allies in assisting the promotion and exposure of the competitive insurance with full 

1 1 disclosure of claim information service to their consumers. 

12 Secondly, health care organizations which market to health care professionals, such 

13 as physicians and nurses, including pharmaceutical companies, pharmacies, and home 

14 health care providers may indirectly benefit by informing their target customers about the 

1 5 above consumer oriented service. 
16 

1 7 Quality Ratings of Medical Suppliers 

18 iamworthit's insurance application provides a natural entry into a second 

19 commercial application of the service. In a fashion similar to that of Time-of-Purchase 

20 Vendor Competition Scheme, for purchasers of insurance products, another useful 

21 commercial application of the present service is facilitating the time of purchase vendor 

22 competition between medical suppliers and equipment providers. The synergy by which 

23 this second commercial application is enhanced is as follows: physicians and hospitals will 

24 likely be cooperative allies to the service in providing patient information substantially as 

25 required as well as promoting (along with home health care providers) particularly the 

26 iamworthit insurer coverage probability service to their consumers. They will also likely 

27 utilize such a resource for internal uses and if^when HMO service liability legislation 

28 becomes enacted, for legal purposes as well. 

29 To the buyer's advantage, it is possible (as in the insurance application, albeit less 

30 likely) that unfair or arbitrary price discrimination may be detected and counteracted by 

31 iamworthit's data sharing feature. Common buyers in this environment include hospitals, 
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1 physician clinics, home health care providers and to a lesser extent HMOs and end-buyers, 

2 the nature/types of supplies and equipment which tend to be purchased by each of the above 

3 categories of buyers are provided in further detail below. As suggested earlier in this 

4 description (and in issued patent "Pseudonymous Server for System for Customized 

5 Electronic Identification for Desirable Objects"), a vertical portal as the one described, may 

6 be personalized based upon the user profile as disclosed upon accessing that portal in 

7 general, at the item level as within a category (or in conjunction with search results). 

8 Additionally, vendors may be equipped with price discrimination tools and are in fact highly 

9 motivated to form a coalition by entrusting their data and counter offer responses to 

1 0 incoming time of purchase vendor competition offers and bids to SDI (or at least an industry 

1 1 specific counterpart of SDI) for medical suppliers in order to provide limits or "price 

12 ceilings" for any given buyer and associated profile and condition relating to competitive 

1 3 offers or bids. 

14 As in the case of almost any category of purchaser, particularly the larger entities, 

15 such as, unions, hospital systems and large physician organizations, additional bargaining 

16 leverage can be applied to suppliers because of the volume of supplies which can be 

1 7 purchased. The iamworthit model is particularly also likely to facilitate the buyer's leverage 

1 8 when negotiating long-term contracts with suppliers tiirough the buyer-buyer data sharing 

1 9 and real time competition^idding facilities which iamworthit provides. 

20 Finally, it is worthy to note that as in the insurance application, a rating feature may 

21 also be provided which enables the buyer to rate (and subsequent buyers to observe the 

22 averaged ratings) the various vendors by various types of criteria such as quality of products, 

23 promptness of delivery, quality of service (or as in medical equipment, quality and 

24 promptness of technical assistance/repairs), availability of desired inventory etc. 

25 There are a variety of types of health care organizations which could directly benefit fi*om 

26 the time of purchase competition and quality rating service of medical suppliers which are 

27 described below: 

28 (a). Physicians Clinics and Large Physicians Groups - Typical types of medical supplies 

29 and equipment which these organizations will purchase using the iamworthit medical 

30 supplies application include: equipment such as X-ray equipment, ultrasound units, EKG 
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1 units, EEG units, computer and other office hardware, chemical analyzer units, cHnical 

2 supplies, office flimishings, pharmaceuticals, etc. 

3 (b). Hospitals and Hospital Systems - Typical medical supplies and equipment which 

4 hospitals will accordingly purchase include: MRI units, Cat Scan Units, X-ray units 

5 (including units for special studies and mammograms), radiation therapy units, stress-testing 

6 equipment, hematological and chemical testing equipment, surgical supplies, prosthetic 

7 supplies, patient-care supplies for medical and surgical floors, IV solutions and 

8 pharmaceuticals, physical plant operational and replacement equipment and supplies, etc. 

9 c). HMOs - Currently, a certain percentage of patient health plans include coverage for 

10 pharmaceutical products. These products are typically provided through contract with 

1 1 centralized pharmaceutical suppliers. It is accordingly reasonable to suspect that many of 

12 these HMOs will invite the opportunity to provide these supplies through a more open 

1 3 dynamic marketplace environment as is provided by the iamworthit service. 

14 (d). Union Directed Health Care Organizations - Union clinics typically purchase 

1 5 equipment and supplies, similar to private clinics or large physicians offices, as described 

16 above. Union private health care organizations would be compelled to incorporate the 

1 7 iamworthit medical supplies application as it similarly could apply to all of the above 

1 8 entities. 

1 9 (e). Home Health Care Market - Equipment and supplies which are, in part, similar to large 

20 physicians clinics as well as some hospital - type supplies, used to provide out-patient care 

2 1 and maintenance services. 

22 Patient Medical Records 

23 The secure data interchange provides a secure and privacy protected storage and 

24 retrieval architecture in which buyers (in this case patients) are able to control the use of 

25 their personal profiles (in this case medical record information). Herein, we propose an 

26 alternative model which is based upon the assumption and belief that purveyors of this 

27 medical information, including hospitals, physician's offices/clinics, labor unions, (to some 

28 extent) HMOs are legally permitted to disclose and use their information for advertising 

29 purposes so long as a method is provided which insures that their information- will not be 

30 associated with any identifying information about the patient (name, address, social security 

3 1 number, etc.). If regulatory constraints and/or the purveyor of this information prohibits the 
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1 use of this information for the above purpose, patient permission could be acquired by 

2 patient signature on all appropriate consent forms at the time of admission and directly on 

3 the admission form. 

4 In one variation, software may be provided to the organization which enables the 

5 organization to operate their own pseudonymous proxy server, thus enabling access by 

6 advertisers to the pseudonymized patient records. Email and/or telephony-based 

7 pseudonymous communications could be readily provided. For direct mail, the address 

8 information maintained by the hospital would mandate the hospital to provide direct mail 

9 advertising to the patients or to entrust this operation to a pseudonymous physical mail 

10 service such as SDL In the (much) preferred variation, a trusted pseudonymous proxy 

1 1 server operator maintains the patient information on an external database (this would 

12 perhaps be SDI or an SDI-like service) in which all of the above pseudonymous 

1 3 communication media could be provided along with pseudonymous direct mail services. 

14 For the SDI data entrusted variation, the preferred business model to provide incentives 

15 to these organizations to cooperatively provide this data would involve SDFs privacy 

16 policy enforcement capabilities in combination with a revenue sharing model in which 

17 revenues from advertisers such as pharmaceutical companies, pharmacies, clinics, 

18 HMOs, hospitals (where the purveyor of the data is not a provider of the same 

19 competitive services). In the case in which HMOs are the advertisers, the HMO would 

20 identify patients who are currently subscribed to competing HMOs and (typically) have a 

21 medical history indicative of a good risk to the HMO. The iamworthit insurance 

22 competition scheme, as above described, could be implemented within the context of this 

23 current solicitation scheme in order to elicit time of purchase competition among HMOs 

24 upon the submission of an offer by the original HMO to the pseudonymous patient. 

25 Aadvertising purposes so long as a method is provided which insures that their 

26 information will not be associated with any identifying information about the patient (name, 

27 address, social security number, etc.). If regulatory constraints and/or the purveyor of this 

28 information prohibits the use of this information for the above purpose, patient permission 

29 could be acquired by patient signature on all appropriate consent forms at the time of 

30 admission and directly on the admission form. 
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1 In one variation, software may be provided to the organization which enables the 

2 organization to operate their own pseudonymous proxy server, thus enabling access by 

3 advertisers to the pseudonymized patient records. Email and/or telephony-based 

4 pseudonymous communications could be readily provided. For direct mail, the address 

5 information maintained by the hospital would mandate the hospital to provide direct mail 

6 advertising to the patients or to entrust this operation to a pseudonymous physical mail 

7 service such as SDL In the (much) preferred variation, a trusted pseudonymous proxy 

8 server operator maintains the patient information on an external database (this would 

9 perhaps be SDI or an SDI-like service) in which all of the above pseudonymous 

10 communication media could be provided along with pseudonymous direct mail services. 

1 1 For the SDI data entrusted variation, the preferred business model to provide incentives to 

1 2 these organizations to cooperatively provide this data would involve SDI's privacy policy 

13 enforcement capabilities in combination with a revenue sharing model in which revenues 

14 from advertisers such as pharmaceutical companies, pharmacies, clinics, HMOs, hospitals 

1 5 (where the purveyor of the data is not a provider of the same competitive services). In the 

16 case in which HMOs are the advertisers, the HMO would identify patients who are currently 

1 7 subscribed to competing HMOs and (typically) have a medical history indicative of a good 

18 risk to the HMO. 

19 The iamworthit insurance competition scheme, as above described, could be 

20 implemented within the context of this current solicitation scheme in order to elicit time of 

21 purchase competition among HMOs upon the submission of an offer by the original HMO 

22 to the pseudonymous patient. 

23 13,2.2 .Matchmaking 

24 The user-centric SDI model allows users to provide personal information on a 

25 carefully controlled basis to vendors and other users. Furthermore, vendors can implement 

26 rules that personalize the information, products, and service provided to users — on the basis 

27 of personal information that they receive from users directly, or have acquired about users. 

28 The key property of "matchmaking" applications is that information exchange is bi- 

29 directional, i.e. a match is not computed on the basis of static information within the system, 
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1 but may involve additional information exchange between agents, and/or special actions by 

2 one or more agents. 

3 Client-level SDI proxies can act as autonomous agents in an architectural variation 

4 of SDI, where the "client-level proxy" is co-located with a (physically) mobile user, for 

5 example on a palm-held computer or head-up display. In a "match-making" application the 

6 goal of these SDI proxy agents is to find other agents with desired profiles/synergies, with 

7 the view to taking an action or exchanging a particular type of information. We describe 

8 many applications, for example: to matching buyers with a virtual sales force, to a market 

9 for expert opinion, to groupware systems for virtual team working, and to an investment 

10 system. 

11 We can allow agents to communicate anonymously, without revealing (even 

12 pseudonymous) identities. In addition, we can prevent one agent receiving profile 

13 information about another agent unless authorization is provided within the rules of data 

14 release associated with the agent's profile. Implicit authorization occurs when a requestor 

15 can present certificates to verify that it has required attributes to access particular 

16 information. Explicit authorization occurs when a requestee provides direct authorization 

17 to a particular part of a user's pseudonym. 
18 

19 Essentially there is bi-directional information filtering: the requestor agent will only present 

20 certain information to the user, information that is relevant; and the requestee will only 

21 provide information when a request is judged to be legitimate. Information exchange 

22 between agents occurs as part of a multi-step negotiation, until both parties can agree on 

23 terms for either a physical meeting (or execution of a deal), or fiirther pseudonymous 

24 exchange of information or cooperation. 

25 In match-making applications the role of the central SDI query execution engine is 

26 to search continuously for "matches" between agents, based on agent profiles. When a 

27 match occurs additional information exchange may occur automatically between agents, 

28 until finally an introduction is made or an action executed by one (or both) of the agents. 

29 Decisions about what information to exchange are made on the basis of both static and 

30 dynamic profile attributes, e.g. standard (historic) profile information, current behavior, 

3 1 current location, and recent activity. Also mode of behavior e.g., social, business, leisure as 
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1 detected by the user's calendar,, time, content in recent conversations, type of users recently 

2 interacted with, etc. LEIA style-behavior attributes can be used to automatically decide on 

3 the relevance of new virtual tag information. A requestee might also demand certain 

4 credentials to indicate the lack of negative reputation marks, for example that an interaction 

5 with the user has never received a bad rating (see Section 2.2.3). Perhaps a third-party could 

6 be used to determine whether the user's know each other (e.g. www.sixdegrees.com ). When 

7 a requestee denies a request for information, it may instead provide criteria for data releases. 

8 A requestor can respond with a different information request, or a subset of required 

9 credentials. Finally, the agents might agree on terms of negotiation and conditions can be 

1 0 anonymously fixed. 

11 There are (at least 5 levels) of information disclosure: indicate to another user 

12 interest; release profile information; disclose communication; start a correspondence 

13 session; schedule a meeting/strike a deal, take some other action, etc. The end-result of 

14 information exchange could be an agreement to calendar a meeting for some future time and 

1 5 place; and absolute, or pseudonymous revelation of identity. 

16 An initial implementation of the data-release policies might allow only manual 

1 7 definitions. However, after an initial "beta testing" phase, a data mining suite could be used 

1 8 to cluster users and generate exemplar data release and data request policies. A system can 

19 provide default settings for users, and recommend setting based on users with similar 

20 profiles. The user can further fine-tune the rules. Automatic feedback techniques can be 

21 useful to adjust rules, for example — ^when a user is especially receptive to particular type of 

22 introduction then make such introductions more likely in the future. An intelligent interface 

23 system might also suggest refinements to the rules, to automatically cover "patches" where 

24 the user currentiy controls interactions. For example, some rules may be based upon a 

25 certain confidence threshold, which the system suggests or refines. The user may accept or 

26 adjust the threshold as desired. S/he may wish to provide settings as to which types of 

27 autonomous actions the user wishes to authorize updates to (based upon his/her own 

28 behavior or as a default users who are very similar) and the user wishes to authorize the 

29 recommended action, or allow the system to fully automate the activation of the 

30 recommended actions (or do so only if the confidence threshold is above a certain level). Or 

3 1 for example bypass user authorization of a recommended action if it falls within a certain 
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1 margin of confidence below the normal confidence threshold for activating fall automation 

2 if the user is performing another important task , e.g., in a meeting, engaged in an important 

3 phone conversation 

4 13.2.2.1 Resolution Credentials 

5 Resolution credentials from third parties can play an important role in agent-agent 



6 interactions. We can prove the absence of a quality attribute or behavior (which is often of a 

7 negative nature) relating to an individual and is submitted by a third party and typically must 

8 be issued on a periodic basis in order to maintain currency. A few simple examples of 

9 resolution credentials which may be of interest to users (credentials which users may 
10 commonly request as a precondition to requesting or accepting requests to be introduced or 



1 1 initiate communication with an outside unknown third party) include: 

12 1 ) For business associations: are in good business standing, e.g., have not attempted 

1 3 to defraud other users in the course of common business practices. Or maintain 

14 sufficient fands in one's account to perform business activities (as represented by 

15 the user). 

16 2) For business interactions or social interactions: are in good standing with the law. 

1 7 3) For social interactions: have not been accused by other individuals of 

1 8 inappropriate or antisocial behavior. 
19 

20 Some standard credentials which may be of interest to many users, and which may 

21 (as with resolution credentials) be incorporated with the standard settings of the user's data 



22 request policy as herein described. A few examples are cited (among countless potential 

23 others): profession, awards, honors, alma mater, e. g., Harvard graduate, doctorate degree, 

24 etc. In accordance with the parent issued patent US Patent #5754938, various credential 

25 issuers are provided for issuing standard and resolution credentials to individuals. Thus 

26 certain entities may be entrusted with "legitimate authority" to validate and submit 

27 credentials which are issued to the appropriate individuals. If a resolution credential is not 

28 issued (or not renewed) an adjudicating third party is provided which has access rights to 

29 both of the parties is provided to resolve resulting disputes (from the subject user). The 

30 present invention describes how credentials can be issued to users pseudonymously. 
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1 There are a variety of rules which a user's data disclosure policy and data request 

2 policy may contain, to control what if any attributes are released, and what credentials are 

3 required. A data request policy may state a rule for explicitly notifying the user if a 

4 particular resolution credential (e.g., indicative of a serious problem or concern) cannot 

5 be presented in response to the user's disclosure request. We allow initial information 

6 exchange to be anonymous, such that information that is released as preconditions for 

7 release of further information is not useful. Similarly, so long as initial encounters are 

8 anonymous there is no need to withhold information about them from the user. 
9 

1 0 Some users may not wish to disclose specific information about themselves via these 

11 standard credentials but instead certain "extracted" more general information may be 

1 2 provided about themselves. For example, instead of a "Harvard grad or Ph.D." there may be, 

13 for example, credentials indicating "intellectual" or "prominent intellectual". Or instead of 

14 indicating an individual's wealth or value of assets, the credential may indicate 'Vealthy" or 

1 5 "very wealthy" (typically, depending upon user's wishes this latter credential should also be 

16 withheld during initial introductions or subject to some fairly stringent conditional criteria 

17 from the other party) and instead replaced with an even more general credential e.g., 

1 8 "prominent" or "influential citizen"). Similarly, an individual's exact profession or scope of 

1 9 work may not be fiiUy disclosed initially but rather a more general definition of his/her 

20 profession or perhaps the general field initially in which the user works or his/her particular 

21 views on certain social or political issues may instead be substituted with (for example) 

22 "socially conscious", "philanthropic", or "moderately liberal". 

23 Another example of a credential of potential interest may include the profiles of 

24 users which a certain individual associates with or is acquainted with. The ability of a third 

25 party to gain access to this information, however, is conditional upon the data release policy 

26 of that associate's or acquaintance's data (e.g. it could be affected by what^ is the profile of 

27 the common acquaintance to whom that user would be disclosed as an associate as well as, 

28 importantiy, the profile of the prospective disclosee.) hi one variation, the system may 

29 simply identify the fact that there are common associates and acquaintances between the two 

30 individuals. Again that associate's or acquaintance's data release policy may fiirther control 
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1 even detection of this fact. It may instead also notify one of the parties of this fact, but 

2 request that it not be disclosed to the other party. 

3 In accordance with the parent patent application, rules may be learned regarding 

4 certain things that a user does (as in ascribing these rules for which messages to send to 

5 whom or what user profiles and under what circumstances/e vents surrounding the target 

6 user). Thus, his/her agent may begin to suggest certain future actions which could be 

7 performed in the future upon user approval or even automatically. If the user has had no 

8 previous interaction at all with the system, it may identify which other users of the system 

9 the present user is most similar, and recommend initial rules. Additional textual attributes 

10 can also be leveraged to provide extra criteria, and data mining techniques used to generate 

1 1 more appropriate rules. 

12 Another category of user credentials include features that may be inferred implicitly 

13 by location/time data captured by LEI A. Such information may reveal a user's likely 

14 behavior and activities. These inferences, however, are unavoidably somewhat speculative 

1 5 and inconclusive, thus cannot be substantiated on a valid basis for issuing credentials. The 

1 6 data may be useful in suggesting the present context and circumstances surrounding a user. 

17 Additionally, the communications which the user may be presently involved in i.e., 

18 the content profile of his/her spoken dialogue and/or other "on line communications" may 

1 9 be used and combined with location/time pattems in order to further infer the circumstances, 

20 behavior, and present temporal interest of a user and/or third party for purposes of 

2 1 employing the user's data disclosure and data request policies. 

22 Credentials can allow users to identify other users that may pose a threat. This 

23 identification may be provided vis-a-vie resolution credentials and/or rating (by third 

24 parties), e.g. a user has not engaged in any serious criminal activity, physically harmed 

25 another person, or interacted with other individuals who are unable to produce these 

26 resolution credentials. Other credentials may specify the nature of an infiingement, and its 

27 context and severity (e.g. what was the context of a physical assault? Was it performed 

28 during a bar brawl, against a fiiend, a boss, an elderly person, a child, a family member - or 

29 at work? In this case, the user agent may, for example, bring to the attention of a 

30 prospective employer tiiat the user could not present a credential indicating tiiat they had not 

3 1 previously harmed or threatened a former employer. Was it minor or severe? Also, if such 
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1 individuals (lacking, for example, resolution credential proving the absence of having 

2 committed armed robbery) are (or come) within a certain proximity of a user, the user may 

3 wish to program his/her user agent to notify the user. The same would, of course, apply to a 

4 store clerk regarding customers of this sort or to baggage security personnel at an airport. 

5 Or, highway patrollers may be interested (e.g., on certain stretches of highway) in being 

6 made aware of vehicles and their locations whose agents are unable to provide a resolution 

7 credential proving the absence of a drug conviction. 

8 In another application (in accordance with the auto insurance risk determination 

9 methods described in co-pending patent application entitied "Applications for Location 

10 Enhanced hiformation Architecture" [ INSERT PATENT OFFICE NO U.S. Patent 

1 1 Application # 09/314.321 1), an on-board computing device within a user's automobile could 

1 2 identify another automobile lacking, for example, a resolution credential for safe driving, i.e. 

13 tiie on-board user agent continuously polls agents in other cars for a "safe driving" 

14 credential, and if it fails to receive such a credential it issues a warning to the user. As an 

1 5 extension, this location data could be converted into a dynamic 2-D rendering upon the 

16 user's windshield (using heads up display technology) in order to thus superimpose a 

17 persistent flagging or highlighting of that particular automobile fi-om the driver's visual 

18 perspective. Pedestrians or low enforcement officials (for example) could also receive 

19 instant notification. As is described in LEIA, a roaming cellular connection, or GPS, is not 

20 essential for providing a user identifier. For example, optically-based biometric 

21 identification techniques such as iris scanning or combined iris/facial identification 

22 techniques may be used among other potential inputs as well. Users will be reluctant to 

23 release location/time data, even anonymously, when suspicious behavior can be inferred — 

24 probably subjectively. 

25 In the case of suspicious behavior we can provide access to law enforcement 

26 officials, through seizure of the decryption key for that data (which includes his/her physical 

27 location information) and any additional profile data which is considered of immediate 

28 critical relevance to the suspect (or prospective) infraction. Such cryptographic techniques 

29 for key seizure from a key escrow are well covered in the literature [FRED, WHAT ARE 

30 THE REFERENCES?]. There may also be certain circumstances in which key seizure may 

3 1 be required after the fact (at some time in the future). For example, if^when certain even 
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1 moderately ''suspicious" behavior patterns are detected, it may be possible for the SDI data 

2 warehouse to preserve a comprehensive record of that information (and perhaps the record 

3 of that user which precedes and follows that period of interest). Thus preserving evidence 

4 which may later prove useful in contributing evidence towards a conviction, acquittal, e.g., 

5 proving that a user was not at a particular location/time. A record containing more detailed 

6 segments of a user with a proven negative or questionable history may be preserved and 

7 general location/time features may be abstracted for the remaining portions of the record 

8 (thus compressing the record substantially). This may be performed for regular individuals 

9 as well, thus retaining key relevant features while discarding the majority of the record 

1 0 which is irrelevant or redundant. 

1 1 Within a location enhanced context, unless the prescribed range of "proximity" to 

12 the user is quite large, securely protecting the user's identity from malicious third party 

1 3 collusion (for purposes of combining unique pseudonyms and/or exchanging data that has 

14 been released and entrusted to them) is a harder problem. The system could (most 

1 5 obviously) assume data exchange between the parties will occur and limit the combined 

16 disclosure to only that of the most data restricted user in a given location/time domain. The 

17 system could alternatively, perhaps "space apart" the number of users within a given 

18 location/time context who can access more "restricted" user data (of course the problem 

19 goes away if all the disclosees have similar disclosure restrictions by that user). The use of 

20 resolution credentials within the context of a location enhanced (physical) environment will 

21 be hard to implement practically until there are powerful and miniature mobile devices. 

22 Automobiles may be an exception, as may be technology which enforces the disclosure of 

23 the physical presence of a user agent (resident in a device) to other user agents within the 

24 networked environment. 

25 Continuation of the Addition to Autonomous Information Disclosure to Third 

26 Parties 
27 

28 The above description suggests the use of a statistical model which can take 

29 implicit passive data about the complete set of variables surrounding a particular instance 

30 in order to determine whether, and if so, what particular data the user is most likely to 

31 wish to disclose, such as the identity of the individual, the profile of the individual (e.g.. 
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1 what other users s/he is most similar to that have also interacted with the user), the time, 

2 location, inferred activities and content based attention focus (which may utilize the 

3 above variables in addition to passive monitoring of spoken content and facts surrounding 

4 conversations). A few concrete examples may be worthwhile suggesting .The system-, 

5 for example, determines that a physical introduction between two individuals may be of 

6 potential interest to them and compatible with their schedules. In fact, they are able to 

7 briefly connect (perhaps pseudonymously initially). Mr. A suggests to Mr. B that a lunch 

8 meeting may be a potential interest (assume that at least one of their calendering agents 

9 does not have them committed to a fixed schedule prior to lunch time and one of these 

10 individuals is Mr. B). Mr. B replies also indicating a potential interest, however, that he 

1 1 has recently dropped in at a friend's house and wishes to stay at least 20 minutes longer. 

12 Based upon the schedule of Mr. A, SDI receives data from the navigational agents of Mr. 

13 A and Mr. B which take into account the distances, drive time (based upon the preferred 

14 routes, the average speeds which Mr. A and Mr. B tend to travel for similar types of 

1 5 interests, and the cafe or restaurant which is closest to the point at which they rather are 

16 likely to cross. Mr. B-, may state the constraint to his agent, i.e., the 20 minute minimum 

1 7 period prior to departure. Or the agent may interpret the accurate interpretation of this 

1 8 fact from his/her conversation with Mr. A. Or if the meaning or the words are unclear, it 

19 could even automatically reiterate its interpretation. The system may tell user Mr. B that 

20 in order to meet up with Mr. A (based on Mr. A's schedule) he must leave his friend's 

21 house in 10 minutes and forego the regular stop at the convenience store. Mr. C may be 

22 another potentially interesting individual for lunch, however, Mr. B's agent doesn't know 

23 all of the facts about how Mr. B may be willing to conform his schedule to meet Mr. C 

24 with regards to changing or rearranging a certain portion of his schedule, and/or replacing 

25 this portion of the schedule with another activity or engagement -(an original activity 

26 which may now be in conflict due to the drive home and physical direction to visit Mr. C. 

27 Mr. B's agent thus identifies and conveys to Mr. B the salient changes to his schedule and 

28 the travel route within this possible alternative plan to meet Mr, C instead. Thus before 

29 Mr. A commits to Mr. B about lunch he has details about all of his feasible options for a 

30 lunch engagement. Mr. B may even state to his agent that that stop at the convenience 
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1 store is a relatively fixed constraint (that it is important) and given that constraint what 

2 are the available options for a lunch meeting as such. 
3 

4 Note (as suggested) that at any time the system identifies within a certain 

5 probability threshold for that user that there may be a certain engagement (or other 

6 activity) which could be scheduled (or replace another schedule activity) the system: 
7 

8 1). Determines the predicted interest-level of that potential engagement or activity (or if it 

9 may involve replacing more than one activity/engagement, determine that the predicted 

1 0 interest of the combination thereof and/or it may enable other activities/engagements to 

1 1 be scheduled which may be replacements for others (estimate the predicted interest of the 

12 activities/engagements collectively comparing one scenario to the other). There may be 

13 other factors affecting user interest in one scenario versus the other, e.g. the distance or 

14 travel time with which it is associated. The system may also be uncertain regarding 

1 5 certain important determining variables, e. g. the profile of the user or even the present 

16 mood or activity or contents focus is not adequately determined, or the nature of the 

17 proposed activity or engagement is not sufficiently constructed (or robust) within the 

1 8 user's profile. In such cases, the user's agent can also ask the user direct questions in this 

19 regard using a national language speech interface and (ideally) at the opportune moments 

20 in which the determination of certain facts as these within the user's present user profile 

21 would provide the ability to identify or dismiss for the user certain opportunities as they 

22 occur. 
23 

24 In light of the present context of the situation and potential opportunities, the 

25 questions may be selectively presented in order of priority and are typically related to the 

26 attributes characterizing present opportunities/individuals which are either of predicted 

27 interest or of unknown predicted interest/relevance but may possibly also include 

28 potentially predicted relevant questions about the present fi-ame of mind of the user, such 

29 as what the user's present activities are (i .e., including work , leisure, etc.) mood, present 

30 focus on what kind(s) of content, etc. 
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1 In the above example, of course, Mr. A and Mr. B could instead be established 

2 friends or colleagues in which case keeping secret their present physical locations may be 

3 considerably less important but not necessarily so. Revealing informational details about 

4 location, action, attention focus to another third party while completely leveraging this 

5 information to provide optimal scheduling efficiency is all possible with SDI and many 

6 individuals may wish to not disclose it in this way (as a default) even if the disclosees are 

7 relatively trustworthy. 

8 Complete robust functionality coupled with complete user privacy as provided 

9 above through the user's agent provides a compelling motivation for users to maintain 

10 much of the information, regarding their present and general location and activity related 

11 data, private in the majority of cases of user interaction and associated schedule 

12 coordination. If Mr. B were to pose different relevant queries to Mr. A's agent while 

13 determining whether he could be interested in meeting, for example, where/when their 

14 paths may cross based upon different times and/or points of departure, the specific 

1 5 location and travel information regarding Mr. A. may still be fuzzed as the meeting time 

16 at the associated place of rendezvous does not disclose to the other party when the other 

1 7 will arrive, only that time when both will be there at the same time(for those rare cases 

18 where even this information may disclose likely specific location and intended time of 

19 departure, we can apply randomization techniques in order to assure privacy with 

20 relatively minor negative impact upon scheduling efficiency. Nevertheless, how much 

21 privacy versus efficiency is desired is entirely within the control of the user. 

22 In another application of the system, the individual may wish to allow another 

23 user (or entity) to be able to arrive at certain levels of deductions or conclusions about the 

24 user which may concern them without explicitly revealing any facts or details used to 

25 arrive at those conclusions. Or in a variation, even allow a continuous persistent 

26 revelation of information regarding these certain conclusions such that if a certain 

27 conclusion(s) occurs (or ceases to occur) notify the requester of such facts. A statistics 

28 and/or manual rules-based approach could be used in this instance. A statistical interface 

29 provided to SDIs central data warehouse could enable an expert to establish correlations 

30 and confidence thresholds appropriate for deducing certain conclusions. For more novel 

3 1 or complex rules which haven't been seen before SDI could receive disclosure from users 
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1 regarding their actions and a request as to desired types of conclusions. The industry 

2 could further trigger an anonymous action (and/or notification) on behalf of the user or 

3 depending on the privacy policy (consent of the other party) an action could even be 

4 triggered based upon such conclusion in the absence of disclosure of the conclusion 

5 and/or even the autonomous action taken. 

6 E.G. notify the subject user of interest in message (or suggestion or warning) 

7 another relevant, noting third party, etc. In such cases, it may however be acceptable for 

8 the user to be able to receive fuzzed aggregate statistics regarding such data as a user's 

9 past behavior patterns (or more confidentially) other users who share similarities to the 

10 user regarding his/her user profile and/or perhaps context of similar activities and 

1 1 circumstances. User profile could be more general characteristics of the user than the 

12 detailed user profile as suggested herein, e.g., the user's corporate department peers, 

1 3 class, demographics, psychographics, travel venue or combination thereof This process 

14 may be performed in either a pull or even push mode. Many associated applications are 

15 conceivable, for example, a spouse (the requester) may desire to have his/her agent 

16 persistently issued a resolufion credential indicating that all of the activities of the user 

17 while on a business trip are consistent with behavior which is appropriate for a married 

18 individual, e.g., that the associations with business associates/colleagues are maintained 

19 at a professional level (per that mutual physical locations and perhaps even directly or 

20 transmitted spoken or written communications) or that user doesn't engage in late night 

21 carousing at questionable venues, or , for example, that the individual on his way to 

22 work, to a meeting worked diligentiy on an important proposal or on his/her way home 

23 from work without revealing any further details which his/her agent has explicit 

24 knowledge of with which it deduces these facts with confidence. Another example might 

25 involve the use of LEIA via small cellular transmitters (with or without GPS) affixed to 

26 small children or the elderly whereby location and activity related information is 

27 maintained private, unless an inappropriate action is performed (e.g., motion and/or 

28 acoustic detectors in the elderly person's home suggest s/he may have fallen, that the 

29 child has wandered away from parents or is conversing with an inappropriate stranger. In 

30 such cases, notify the guardian or assistant in charge or allow a highly trusted party who 

31 happens to be in the immediate vicinity of the party to be notified to come to his/her aid. 
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1 In the latter case (of the child) perhaps there is suspicion that the child has just 

2 disappeared and the parent(s) authorizing the agent of the child is able to send out an 

3 immediate description of the child to all certified "trustworthy" parties who are in the 

4 immediate vicinity, e.g., after the initial description has been sent out, one of the parties 

5 indicates the child was speaking or walking with an apparent stranger of X description 

6 which is also, in turn, transmitted to these trusted local parties (and at that point to the 

7 police). In a variation of the above example, a crime could have just been committed and 

8 the assailant has just been described in detail by the victims with information regarding 

9 location and direction last headed which is again transmitted to other parties: 

10 Thus, more immediate, complete and up to date information of importance for 

1 1 police to make a more immediate apprehension of the suspect is made available to police. 

1 2 INSERT»»»>»»» 

13 Location determination via LEI A could be either through user's LEIA-enabled devices or 

14 the coordinates of the user(s) as identified verbally by the user, e.g., to a 911 server. 

15 Other examples of the present system could apply to immediately locating trained 

16 medical, EMS trained or rescue personnel in proximity of a urgent medical emergency or 

1 7 accident Such personnel could even be off-duty. Depending upon the particular nature 

18 of a medical emergency, particular specialists appropriate to the circumstances could be 

19 identified, their comparative physical proximities compared with other potential qualified 

20 individuals and based upon qualification appropriateness, physical distance and perhaps 

21 willingness, a most appropriate match made. In another application, likely witnesses to 

22 an accident (including automobile accident), theft abduction based upon their location 

23 and time relation to the event of interest could be notified to provide helpful clues in 

24 assisting investigators in obtaining a suspect or legal professionals a conviction or 

25 acquittal. In the case of abductions timing in acquisition of such information could be 

26 extremely critical and the ability of such notification to be distributed instantly to all 

27 "trusted" individuals in the immediate vicinity at the very outset of when a person (e.g., 

28 child) is even suspected of being lost could prove to be invaluable in not only rapid 

29 recovery but also in thwarting of those few instances in which a kidnapping has actually 

30 occurred. Some users may wish to be available and willingly notified to help in certain 

31 dire circumstances (the nature of which the user ultimately has control over) but may 
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1 wish to remain anonymous to authorities and legal professional after the fact (or for 

2 example in cases of providing witness testimony (as via a subpoena) to more trivial or 

3 non-life threatening cases. A market model may also be created in which compensation 

4 schemes which are just appropriate to compel typical individuals to provide desired 

5 assistance may be provided. Finally, the present methodology could be readily extended 

6 to a taxi dispatching service in which a taxi's most local to a given user can be dispatched 

7 accordingly. Another example includes employees within a large organization. The 

8 statistical techniques as described in the parent patent application could be trained such 

9 that examples can be identified or explicitly stated rules provided by employers of what is 

10 considered to be actions and behaviors which are inappropriate and irrelevant to the type 

1 1 of work related activities of that employee's job description (ideally trained across 

12 previous "similar" employees). The system can take into account browsing, 

1 3 communications, (including spoken communications), even location (LEI A) data into the 

14 model (e.g., for tele-commuters) and flag suspicious behavior. SDI can even upon 

1 5 agreement by the employee) allow the employer to access more detailed information on 

16 the specific behavior once the suspicion threshold has been exceeded. 

17 In another application, the user may wish to provide predefined rule( which could 

1 8 be suggested by the system initially in (similar fashions as suggested above).s which can 

19 be used to notify a certain individual(s) if certain explicit (or agent) inferred events occur, 

20 for example, that the user is in town, has just received certain important news of a 

21 promotion or change to a new position, internal company news which relates to that 

22 individual and may have professional relevance on the other individual (the latter two 

23 examples which may be relevant to say the professional profile of that individual , etc.). 

24 In addition, the individual(s) may be made aware of the event disclosure policies set forth 

25 by the user relating to them specifically (if desired) and this individual(s) can fiirther 

26 provide filtering rules which allow all or a portion of that information to actually reach 

27 the user. In another example, the user may have met or known the individual at some 

28 time previously and the venue and context of the meeting circumstances and relevant user 

29 profile information to that context are known and disclosed by both parties. The user 

30 then wishes to re-establish contact perhaps defining the reason for the request and the 

3 1 individual can have predefined rules or acceptance or rejection of the request directly. 
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1 In a final example, virtual tags are provided containing comments and annotations 

2 regarding a certain physical object (which could be anything from a tourist attraction to 

3 the physical site of a recent hot news event to a useful annotation critiquing a bricks and 

4 mortar vendor). An individual whose profile suggests s/he is knowledgeable (or had 

5 provided the relevant annotation of interest) about that object would allow this relevant 

6 information to be conveyed to other individuals who have perhaps an interest in that 

7 information (generally or at that moment). 

8 The relevant individual (if s/he is also willing) may be contacted and solicited to 

9 meet if their calendaring agents can appropriately coordinate the meeting. It may be 

10 either context specific, e.g., both individuals are physically local (or plan to be local to 

1 1 each other) and the physical object or site of interest or simply (generally) local to each 

1 2 other. 

13 It is perhaps worthy to note that the present methodology could certainly be 

14 extended to include the application to rules dictating reachability conditions of users byu 

1 5 other users via standard telephone. The application to cellular telephony is of particular 

16 interest in its ability to communicate to the user in a variety of modalities (voice, 

1 7 notification, instant messaging, Web content). In addition, similar rules may be adapted in 

18 this scenario with perhaps minor modifications. For example, under what conditions may 

19 the user be reached by another user. E.g., what is the nature of the relationship between 

20 those individuals? If it is not known, inferences fi-om the context of previous conversations 

2 1 may be determined. Does the user typically accept calls (or other communications) fi-om the 

22 other user under similar circumstances and/or times. If this data is not available are they 

23 accepted by other users similar to that user according to a key attribute(s) or does the other 

24 user accept communications fi^om the user under similar circumstances as they present 

25 communication attempt (as this may suggest similar reciprocal acceptable reachability 

26 conditions as that of the other user. Again, LEIA suggesting location movements and 

27 associated measurable behaviors as sequential patterns and as formation of time may be 

28 important. This detailed statistical model of the user could be uisefial in learning the context 

29 of performing certain autonomous actions for the benefit and convenience of the user and in 

30 the reachability of the user by other users, e.g., in what communications mode is the user 

31 interested in communicating, e.g., speech to text-based instant messaging or standard 
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1 telephony, does the user mind being interrupted with phone ringers, (or vibration mode) or 

2 ringer-off mode). Previous similar communications contexts may be useful in determining 

3 inferred rules which may be presently appropriate (e.g., was the spoken content of the 

4 previous communication indicative of acceptance or annoyance of the communication with 

5 the other user within a similar associated context . Eg., this may suggest whether and in 

6 what contextual conditions of both accessor and accessee the accessor' s call may be patched 

7 through (or re-forwarded if initially accessing another number or telephone of another likely 

8 venue where the user may be believed to be present. 
9 

1 0 Exemplifications of The Underlying Statistical and Rule-Based Intelligence Used in 

1 1 Autonomous and Semi- Autonomous Release of Personal Data Release, Matching and 

1 2 Reachability by Other Users 
13 

14 The above section "Location Enhanced SDI System relating to Smart Home and 

1 5 Office techniques provides a relevant platform for integrating intelligence into a multi- 

1 6 device environment. Mobile user intelligence is a sub-component of this broader multi- 

17 device (or "ubiquitous computing") application-level intelligence platform. In view of 

18 the present application framework, it is a very intriguing and challenging problem to 

19 provide a statistical framework which is able to allow the user agent to make appropriate 

20 inferences regarding users who generally, though imprecisely, fit a certain profile which 

21 may suggest the acfivation of a rule (i.e., a "fiizzy rule") such as requesting fiirther 

22 information disclosure from that user, identifying that individual to the present user or 

23 more sensitive types of actions such as if the requested information from the other user 

24 requires some sort of a fee or the other user, in turn, requests certain information 

25 disclosure from the current user (which may be considered at least moderately sensitive). 

26 It is clearly extremely advantageous to entirely automate as many of these types of 

27 information exchange and notification related actions as possible in order to enable the 

28 system to function seamlessly and intuitively to the user's present wants and needs. In a 

29 general sense, it is reasonable to suggest that the key to minimizing active user approval 

30 of rule based recommendations is the ability to accurately infer present user actions and 

31 behavior, thus allowing the system to more accurately infer the present user mind set. 
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1 activity related focus, perhaps even the mood which the user is presently experiencing 

2 unless the nature of the disclosure is extremely sensitive or otherwise extremely 

3 important to the user. Many of these types of actions could be performed without active 

4 user approval and authorization. There are a couple of approaches which can be applied 

5 which may be able to limit the uncertainly of the system, possibly alleviating before 

6 hand, inappropriate or unwanted actions or failure to perform certain desired actions. For 

7 example, it might be possible to perform data analysis on very large data sets of users 

8 who share very similar profiles and to perform very similar actions and behaviors in all 

9 aspects of their physical interactions with the real world. The recommended actions 

10 provided by the system may also be used to provide the user with a natural language 

1 1 interface which identifies to the user those types of circumstances and conditions in 

12 which there is an inherent lack of adequate statistics from previous user experience to 

13 prove beyond a reasonable level of confidence the action desired by the user. Or the 

14 system is unable to identify with a high statistical confidence level a most appropriate 

1 5 action based on the collective statistics of other similar users and conditions (the system 

1 6 may helpfully suggest those which are possibly the most prevalent. However, in other 

1 7 cases the actions (or combinations thereof) of the user are unique enough that the system 

18 lacks sufficient statistical data, the likely appropriate actions are sharply divided between 

19 or among different possible actions or (similarly) there are no strong statistical 

20 correlations which can be established (perhaps because the key factors with which the 

21 desired actions are most influenced cannot be captured due to the limited input 

22 constraints to the present system, e.g., precise accounting of present activities or focus 

23 (even such things as the likely emotions or present attention focus of the individual for 

24 which there may be a lack of sufficient measurable clues visa-vie the suggested input 

25 modalities. The natural language interface (perhaps an application for a language 

26 generation system) could communicate tK) the user its interpretation of his/her behavior 

27 and the statistical correlations with recommended autonomous actions. E.g., if the user 

28 is in his/her home study between 9-1 1PM, she/he is likely to be engaged in work relative 

29 to a research publication thus an invitation to other colleagues in this area will be 

30 extended and/or communication requests accepted .to contact the user accordingly under 

3 1 these conditions. The system may detect similar conditions in which the user may reject 
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1 requests to correspond by such individuals under these conditions, e.g., if the identity or 

2 identified context (or even context inferred from the identity) is inappropriate for that 

3 particular context of user activity. The user may provide another annotation to the rule 

4 which says that if she/he has recently corresponded with another individual(s) at that 

5 time/location, chances are that she/he is, in fact, in a social related mind set. As 

6 indicated, there are numerous potential inputs to the system, which could be considered 

7 in predicting what agent-mediated actions are, in fact, appropriate. The techniques of the 

8 parent patent application, if applied in this context, would allow us to make strong 

9 inferences about the particular mind set, reflecting present interests or preferences which 

10 the user is likely to be receptive to, presently based upon such clues as who the user is 

1 1 presently interacting with, the content profiles of the present real-time dialogues, e. g, 

12 typed or spoken through a communications network, (or simply passively collected off- 

1 3 line), the object profile of documents or web pages being interacted with. Activities may 

14 further be inferred by such indicators such as the particular physical location of the user, 

15 visa- vie LEIA, the particular sequence of location specific movement patterns, the 

16 particular types of devices with which the user is interacting )( and perhaps the nature 

17 and/or sequence of those interactions). More complex rules are certainly also 

18 conceivable, such, as the user will not interact, transact except under certain specific 

19 conditions, such as a commercial opportunity if the user fits a certain stereotype, i.e., 

20 similar to those previously interacted with for the nature or content of the proposed 

21 discussion, in light of the type of user, may be acceptable under certain circumstances, 

22 locations or mind sets experienced by the user. E.g., a young female in her twenties may 

23 not wish to be approached by 40 year old males unless the context of the interaction were 

24 purely business, e.g., a professional, or commercial or sales opportunity thus if she were 

25 in a purely social mindset such requests to interact would be denied. Likewise a busy 

26 executive in his/her 30's may deny such requests from the young female unless her 

27 request was purely of a social nature and he was not overly time constrained. There may 

28 be certain "professionally" -prospective correspondents, however, which he may prefer 

29 over others based upon some additional interesting criteria as well such as other 

30 business/professional areas of commonality, common interest areas, even socially 

3 1 compatible or interest criteria. 



Page 306 of 381 



SUBSTITUTE SPECIFICATION 



1 Of course, SDI is able to extrapolate extremely sensitive features regarding 

2 interest preference and context which may establish a basis where two individuals or 

3 more individuals, to be mutually identified to one another and/or communicate 

4 accordingly or to not be mutually identified and/or accordingly communicate (SDI may 

5 even establish the basis for these mutually beneficial interactions even if revelation of 

6 this basis by one or more parties by the other is not permitted within the privacy policy of 

7 one or both of the parties). Of course, SDI may fi-equently identify individuals whose 

8 personal data revelation requires certain minimal requested personal data from the other 

9 party as a condition to such revelation (which SDI is capable of fully automating on 

1 0 behalf of both parties) or the user may request certain information and make a personal 

1 1 judgment in real time as to whether further information about him/herself should be 

12 revealed and/or whether introduction or communication is desirable. In these cases it 

13 may be difficult to always successfully achieve an introduction when appropriate as the 

14 user is unable to guarantee 
15 

16 a). The revelation of certain information to the other use if that user reveals certain 

1 7 information accordingly, or 
18 

19 b). Is willing to agree to be introduced if certain desired information is revealed by the 

20 other party (often busy executives have absolutely no time to disrupt their busy schedules 

21 to discuss certain opportunities when there is enough revealed about those opportunities 

22 to justify the correspondence. However, the nature of the opportunity is too sensitive a 

23 piece of information for the disclosing party to be able to reveal without certain 

24 guarantees that there is sufficient interest for the recipient to discuss the potential 

25 opportunity further. This quandry unquestionably poses a huge challenge, however, it 

26 can be somewhat overcome by: 
27 

28 a). — SDr;s ability to keep track of most, if not all activities, behaviors and 

29 correspondences, particularly acceptance or rejection of those SDI pre-qualified 

30 recommended interactions, 
31 
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1 b). Detailed information provided by the individual or entity to SDI as to the nature of 

2 the various types of individuals, entities and potential opportunities to conduct business 

3 which the individual is able to provide to SDL SDI itself may apply human experts for 

4 the task of interpreting the compatibility of certain requests with the access 

5 correspondence policy of the individual, provide a rules based system (which can also 

6 learn with fuzzy rules) with which to automate some of the decision or, at least automate 

7 the "definitive" exclusions). 

8 13.2.2.2 Applications 

9 User and seller information - as detailed in the parent issued patent, specific details of 

10 what users and sellers may be looking to buy or sell respectively may be used to 

1 1 suggest the basis for a potential commercial transaction. The transaction may be 

12 large (but not necessarily so, e. g., real-estate, private investment in a small 

13 business or public stock). If a physical or on-line interaction with the other party 

14 is warranted (e. g., for larger commercial transactions), as is suggested later as in 

15 the present description, users may identify other users which form the most 

16 relevant "match" with their interest. At this point the agents can check for 

17 credentials, and then either communicate or calendar a meeting. Similarly, the 

18 agents may find the "best" match of users who happened to be physically 

19 proximal to the user at that particular time, or at some fiiture time(s)/location(s) 

20 which is mutually compatible (similar applications are suggested for matching 

21 sales persons with prospective clients, identifying experts to work (individually or 

22 collaboratively) on a particular project or problem, to answer a question of an 

23 appropriate specialized nature to their area of expert knowledge.) The parent 

24 issued patent suggests at a general level these commercial applications. An 

25 additional feature described therein involves the use of a decision tree called 

26 "Rapid profiling" which can be used in the present context to identify fi-om the 

27 most common needs of users and "goods" of sellers in general and the known 

28 profile data about each user and seller individually, a list of questions for each 

29 party which most briefly and efficiently determines the complete user/seller 

30 profile of each party individually. 
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1 

2 Social Interests Profile Information — The parent issued patent also suggests the 

3 present application at a general level. For a dating application, users may be 

4 matched on the basis of their common interest s/preferences and perhaps on the 

5 basis of certain information reflecting personality, social or cultural 

6 behavior/affinities or psychological attributes. On the other hand, for purposes of 

7 meeting casual acquaintances, users may be interested in another user who shares 

8 the above characteristics as well as someone who has recently shared similar 

9 experiences and/or personal challenges. 
10 

1 1 Professional Information/Qualifications - As in the application of matching users and 

12 sellers, a description of a user's needs or situation with relation to various 

13 professional services may be provided as additional data about the user. 

14 Examples may include: (as above) medical data, professional or business history 

15 (as well as legal history) which may be of interest to law firms, accounting firms 

16 or various business consultants. Personal, family or emotional difficulties may be 

17 of interest to psychologists or family counselors. Again, users may submit this 

1 8 information as a query for prospective matches, or they may be pseudonymous 

19 queries or automatically matched in accordance with criteria specified by the 

20 professional. The issued parent patent application also lists additional 

21 applications, which could as well be relevant within the usage context of virtual 

22 tags. 
23 

24 Employer/Employee Information - An employer may post a description as part of 

25 his/her virtual tag (and that associated with his/her company). His/her employees 

26 may also have provided ratings and/or annotations, which are further descriptive 

27 of his/her personality, leadership/management style and skills, work environment 

28 which s/he promotes and overall quality. A previous employee may allow 

29 him/herself to be contacted by the prospective candidate (e.g., in exchange for a 

30 fee). 
31 
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1 Access Privileges Information - Users in an organization are frequently given 

2 privileged access to certain files within a corporate intranet but not others. 

3 Though there are many ways of profiling users according to their level of access 

4 privileges to information, the following example is considered: Based upon the 

5 position (e.g., responsibilities and tenure with the organization), users may be 

6 "classified" into groups according to different levels of access to confidential 

7 information. Virtual tags may be used to extend the capability by providing for 

8 immediate disclosure of a user's informafion access privileges to another 

9 employee in real-time and in a physical context. Also, if a user reads or accesses 

10 certain information, meets with a certain colleague or fiiend, then a user might 

1 1 send a message X. This message could be (for e.g.) a request to perform some 

12 task relating to part of that information, a reminder to address certain issue(s) 

13 while chatting with the colleague etc. or, per the request of an individual's 

14 employer or colleague if a given individual (a sales person) meets with user X 

1 5 send him/her message Y (which may refer to a previous encounter, experience or 

16 fact s/he should know pertaining to user X and which may have bearing upon 

1 7 their conversation or professional interaction. 
18 

19 Access restricted physical areas. In this case the virtual tag effectively may behave 

20 like an "electronic door key". A variation of the technique may be used for 

21 granting access to professional meetings, where information access privileges of 

22 users must match the anticipated confidentiality parameters for the scheduled 

23 meeting. Another application may include the ability to automatically enable 

24 access or restrict access, based on payment of fees, and whether or not an 

25 individual is a representative or partner of a competing company. 

26 13,2.2.3 ^Business Introduction System 

27 Another application domain for privacy-protected match-making, where users are 

28 anonymous until an agreement is struck is business to business introductions. For example, 

29 it might be useful to automatically identify synergies between businesses (e.g. in 

30 infrastructure, technology, or product) -- for the purposes of pursuing an advantageous 
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1 strategic relationship. If the meeting is between two employees of competing companies, 

2 then the system of match making could also ensure that a meeting is predicated on a 

3 particular task that does not cause conflicts with their respective companies. 

4 Each business might state within SDI: 1) what entities or types of entities s/he would 

5 share resources with. 2) If so, on a per-entity or per-entity type basis, what types of their 

6 resources (e.g. type of skilled employee and for what TYPE of out-sourced task) would the 

7 entity share. It is an obvious extension to look at sharing of code, technology, intellectual 

8 property. A major challenge and limiting factor being how well informed SDI, the neutral 

9 intermediary can be made aware of the needs/requirements of a company such that it can 

10 make evaluations entirely on its own regarding highly confidential materials with which it 

1 1 can accurately predict the basis for a deal WITHOUT disclosing to the prospective recipient 

12 what the technology or know-how entails (which could compromise the value of that asset 

1 3 should a deal not eventuate). 

14 Corporations may also use SDI to utilize the above information regarding their 

1 5 human and technology sharing synergies in order to detect and recommend strategic (e.g. 

16 equity sharing, merger, acquisition etc.) relationship opportunities between the entities. B to 

1 7 b and even b to c user centric SDI user behavior analysis combined with text analysis 

18 should also provide revealing clues about what types of companies tend to share similar 

1 9 customers and provide similar (complementary or competitive) products and services which 

20 may suggest that such synergies are potentially available. Of course the vendor centric SDI 

21 service may benefit fi*om this information as well as provide information for other vendor 

22 identification of competition. Other data resources including electric payment protocols, 

23 EDI, automatic check payment, check services, etc. may be useful data resources as well. 

24 Again the disclosure of detailed business information is very helpful and a data 

25 release policy defining the parameters for such strategic initiatives may be critical in order to 

26 determine what companies may be potential candidates for which initial feelers (of high 

27 level information disclosure) would be appropriate to put out to a prospective company to 

28 determine mutual interest and/or further basis for expected synergies. 
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1 13,2.2.4 — Dynamic Annotation/Information Filtering 

2 In this extended application of SDI, we allow users and other third parties to 

3 annotate objects (physical and virtual) with meta-information, either to remind 

4 themselves about a previous interaction in the future — or as a system of "knowledge 

5 learning", where systems of users leave useful information for other users. Information is 

6 left in the environment, leaving a trail for other users. 

7 For example, the information that is tagged to an object, referred to as a "virtual 

8 tag", can contain a pointer to other relevant information, such as a survey of a film by a third 

9 party, or the user's own comments/feedback. For example, a restaurant listing could be 

10 annotated with meta-information about the quality of the food and service. Such 

1 1 information, when provided by a wide sample of users, can provide robust information 

1 2 about objects. The information that is used by a particular user can be filtered — for example, 

1 3 weighting the opinion of a respected restaurant critic, or weighting the opinion of users with 

1 4 common profiles (when that information is available). 

15 Virtual tags (i.e. meta-information) can be assigned to objects with physical 

1 6 locations, and- the information triggered based on the physical location of a user (using LEIA 

17 technology). Virtual tags can be assigned with expiration dates or other time-sensitive 

18 information. An individual user might leave an "action item", for example — ^next time I 

19 retum to this object (e.g. web page/ vendor) be sure to perform this task, enter this query, 

20 check this link for new information. As another example, after a conversation with an SDI- 

2 1 enabled user it is possible to tag that user with some notes, to remember the conversation the 

22 next time the two users meet. 

23 The technical innovation that allows this use of virtual tags, in addition to the 

24 protection of privacy, is tiiat we allow users to annotate information to objects that they do 

25 not directly own through a system that separates virtual tags fi-om the content that is tagged. 

26 In particular, tags can be stored (either at the ISP-level proxy, or main SDI server) for 

27 associated web pages, and exchanged/retrieved automatically when the object is accessed. 

28 The virtual tags can be used in conjunction with target-object profiles that are generated 

29 through SDI for web pages (and approved by vendors). Virtual tags can be searched, using 
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1 relevant terms, locations, or times, and can also contain links to authoritative information, 

2 such as audio and/or video. 

3 For example, in accordance with the prediction that readily deployable visual video 

4 recording devices will become commonplace (even integrated into wearable computing 

5 hardware). Users who are amenable to releasing such information under terms of their 

6 privacy policy may allow other individuals subsequently visiting the same physical location 

7 physically or virtually to gain access to such information. Such information may range from 

8 detailed accounts, assessments of value, etc. A user could, for example, do a general query 

9 about locations e.g., what is the percentage breakdown of types by their pseudonymous 

10 attributes, who frequently visit this site which sites tend to have commentary of a particular 

1 1 topical nature of interest to user U, which sites are visited frequently by individuals similar 

12 to user U, which sites have had an event of a particular type or one which is similar to user 

1 3 U's user profile occur in the recent past (or where or how close did such event occur with 

1 4 respect to the recent location of user U and so forth). 

1 5 Tags are encrypted, so that only SDI-enabled users can access them. Tags are also 

1 6 associated with the pseudonymous ID of the user that left the information (although they can 

17 be anonymous, an associated profile allows more accurate collaborative filtering 

1 8 techniques). Finally, users can leave data-disclosure policies, embedded into tags — to certify 

19 the properties of other users necessary to release the information. When tags automatically 

20 are time-stamped with location, and time, and other information we allow for this 

21 information to be "fuzzed", as disclosed in the section on Randomized Aggregates, to 

22 protect a user' s identity. 

23 In the physical world, implementation of meta-information in a user's physical 

24 information, can be viewed via head-up displays, video cam monitors, wearable computing 

25 devices, or audio pieces. The information itself can be embedded directly on physical 

26 objects, for example on magnetic strips or via. visual encoding techniques — or the 

27 appropriate information can be accessed from a secure remote database based on the user's 

28 physical location (using LEIA location technology); or bar-codes that provide a universal 

29 identifier for an object. 

30 As an extension to this model, we also allow users, vendors, and other third parties 

31 to associate "meta-information" witii other users and vendors. This information might be a 
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1 user's opinion about his/her interaction with another user, an annotation that relates to a 

2 particular web page, or information about a physical object. The system of SDI enhances the 

3 value of this information by providing a secure environment where users can report meta- 

4 information (i.e. opinions) along with their profile information, to permit collaborative 

5 filtering techniques to generate appropriate meta-information about an object (user, physical 

6 object, vendor, web page, etc.) that will be useful to a particular user — given that user's own 

7 profile. We define 'Virtual tags" as any piece of information about an object (physical or 

8 virtual). The information may be authored by any party, but annotated accordingly. For 

9 example, the appropriate virtual tag provided by a user about his/her-self is the 

10 pseudonymous profile for that user, ~ and with SDI only the user his/her-self can gain 

11 access to the profile (either directly through editing, or indirectly through continuing 

12 transactions). 

13 We might implement a Kasbah-style "reputation system" within such a virtual 

14 community. Initially users (under pseudonyms) have no reputation, and their opinion does 

15 not count for much, but after every positive interaction (as defined by other parties in an 

16 interaction), the "reputation" of a user can increase, (see the Kasbah system, MIT) [Kasbah 

17 98] This reputation system is appropriate to a pseudonymous environment. Notice that 

1 8 gaining negative reputations is not usefixl when users can simply change identities. In one 

19 variation we can "block" certain users fi"om providing information, when those users have 

20 negative reputations. Clearly, collaborative filtering or other data mining techniques could 

2 1 usefiiUy allow for reputations when weighting information about an object. 
22 

23 13,2.2,5 ^Meeting Planning 

24 The general application fi-amework of matching users based on mutually beneficial 

25 and acceptable terms and conditions within a physical context, e.g., be it e commerce (as 

26 above described) business or social objectives, it is also useful to develop a mode which 

27 considers the schedules of the calendaring agents of tiie individuals, as well a. s the timing 

28 and (if relevant) the meeting opportunities which would be based upon mutually compatible 

29 meeting venues which are mutually time compatible), A statistical model could be 

30 developed which would take the above data (where appropriate) the geographic proximities 
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1 (considering lengths of travel routes between users may travel to attend a meeting) in order 

2 to determine: 

3 a. How to minimize the travel distance for individuals whose automatically scheduled 

4 meetings are combined as part of an existing travel activity might be if the meeting was 

5 scheduled, in part because it was of relevant values to the party (and it was at least relatively 

6 close to the existing intended travel route). 

7 e)b. It was sufficiently important to mandate a separate trip. The idea is to determine the 

8 optimal physical locations of individuals to physically reside, (i.e. for residents or even hotel 

9 lodging as well as possible the physical locations of business such that when the above user 

10 agents - agent introduction meeting and scheduling functionalities for physical meetings is 

11 performed for the amount of physical distance which must be traversed is optimally 

12 optimized. The statistical method used in this calculation would be similar to a scheduling 

13 optimization method used to schedule flights and associated routes to minimize the total 

14 distance traveled by all flight routes collectively (see Princeton publication using genetic 

15 computing techniques). Of course, the above approach would be used for a more 

16 immediately practical application in which the objective would be to simply reduce the 

17 amount of distance a user traveled for his/her daily activities and to tie this framework into 

1 8 an existing scheduling system which is appropriate for the user. It is possible to also further 

19 define the ultimate objective to be reducing the actual travel time which a user spends in a 

20 vehicle (thus the optimization algorithm would further factor in the effect of time delays due 

21 to highway congestion which would affect the ultimate ideal locations of these physical 

22 sites. 

23 A couple of concrete examples includes for example a real estate developer who 

24 develops clusters of home building sites or town homes which reflects the profiles of users 

25 sharing common or compatible profiles (e.g., socially, professionally or commercially) or 

26 recommending hotel lodging sites for individuals who share similar commonalties and 

27 happen to be visiting the same location or city. It is also possible to physically locate 

28 vendors at locations in which their most preferred customer prospects are most commonly 

29 physically traveling past or are physically situated (using LEIA) even considering where 

30 these prospects are during periods in which their shopper interest (or mood) for those 

3 1 items/services are heightened (or more generally factoring in both location and temporal 
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1 (mood) factors into the user profile data as it is herein applied for this purpose. Whether 

2 users or vendors (subject to user consent) share customer data, there are other potentially 

3 interesting and relevant applications, for example, based upon LEI A a user's calendar 

4 schedule perhaps even verbal clues, it may be possible to coordinate meeting between users 

5 and professionals who can provide a useful service e.g., if a specialty physician happens to 

6 be situated in the user's present or anticipated locality and the physician would be available 

7 for an appointment at that time and location. It is possible that ad hoc use of shared clinic 

8 space may be available for such ad hoc appointments. 

9 13.2.2.6 Jnvestment MatchmakingA/enture Capital 

10 This section describes a market place in which start-ups can propose a venture or 

1 1 other financing needs in order to elicit an auction between different Venture Capital funds. 

1 2 We can allow potential investors to leverage securely confidential information regarding the 

13 details of business present and anticipated strategic alliances and customers. Each company 

14 securely registers all of this confidential business information SDI. It is even possible for 

1 5 confidential information about future R&D initiatives proprietary know how and intellectual 

16 property to be entrusted with SDI such that potential synergies may be determined well in 

1 7 advance of the market. 

18 A domain expert(s) within SDI then determines potential synergy's between the 

19 various commercial entities both for purposes of facilitating introductions on a 

20 customer/vendor level, strategic partner level, as well as what particular financing sources 

21 which are compatible for tiie level of the financing needs and other characteristics of the 

22 financing such as terms, involvement on a control and/or management level (as well as 

23 compatible commercial technology venue in which they participate). The key objective is to 

24 identify as first priority the commercial entities and customers which can provide the 

25 greatest degree of benefit to the vendor then to, secondly, determine which entities within 

26 the VC/financing community are able to bring the most valuable of these contacts to the 

27 table. 

28 An investor may fiind a small start-up and also improve the value of the start-up by 

29 facilitating a larger vendor becoming a customer. An investor might negotiate a special deal 

30 for such a vendor, hi one variation SDI could be used to mediate the introduction of 
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1 optimally strategic investment opportunities to an investor and to identify strategic synergies 

2 among and between different commercial entities who are already funded by an investor(s). 

3 In this way it may be possible to introduce these investors and create joint participation with 

4 the new prospective investor. 

5 By leveraging SDI, the investors may even identify certain intriguing facts such as 

6 that the synergies between one of their own customers and the other investor are also 

7 significant and/or even dis-synergies exist between their own investors and themselves 

8 which do not exist with other investors (e.g. and investment in a competitor or customer of a 

9 competitor) that it would be mutually advantageous for the investors to entrust SDI with the 

1 0 job of making appropriate introductions for re-distributing equity ownership of the investors 

1 1 into those other companies which are more appropriate from a strategic standpoint. 

12 The motivation behind agreeing to these introductions of course must be bona fide, serious 

13 and not initiated with the malicious intent to capture otherwise confidential information 

14 (particularly for those investors at higher level financing levels such as higher level VCs, 

1 5 investment bankers and more generally investors who tend to be more minimally involved 

16 in direct management or marketing initiatives for the company) it is certainly reasonable to 

17 imagine that some of these investors may wish to apply some of the above suggested 

1 8 techniques for finding (or even exchange equity opportunities within the commercial market 

19 partially for the purpose of diversifying their risk by thus owning smaller equity stakes in 

20 more companies and particularly those which are most commercially strategic and mutually 

2 1 synergistic in nature. 

22 The powerful data collections of SDI regarding comprehensive 

23 commercial/investment data which of relevance to predicting the nature of an market 

24 dynamics of the associated commercial entities, and to build insurance for an investor. The 

25 primary objective is to identify investments which are predicted (using a variety of methods 

26 both human intuition and empirically based) to behave very similarly (including e.g. 

27 possessing a very similar, upside and risk potential). A secondary objective (unlike the 

28 above variation) is to then evaluate and actually identify competing companies to the one(s) 

29 the investment in which is being insured where it is believed that the success of the 

30 competitor(s) would have a negative impact on that of the company. Thus risk is effectively 

3 1 diversified among the overall success of those companies. The insurance could include a 
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1 deductible and premiums which are determined in accordance with the amount of coverage 

2 which the investor wishes to acquire. These premiums could be either paid in the form of 

3 cash or equity. In one variation "success" for insurance purposed could be measured as the 

4 success relative to the average of all of the others within the same similar group. 

5 13.2.2.7 Ideas Market 

6 Individuals can submit an idea to SDI along with the application framework, target 

7 market, or a list of vendors, which may most benefit as a result, hiterested parties can then 

8 bid within SDI for the ideas. The system of SDI can operate the auction privately, and only 

9 provide bidders with a limited amount of information about the idea. The problem is to 

10 automatically appraise the value of an idea for a particular vendor without providing the 

1 1 vendor with the idea, so that when the auction is over only the agent that wins actually 

12 leams detailed information about the idea. The price paid may include an up-front price and 

1 3 promises of long-term royalties or equity, etc. 

1 4 The privacy-secured ideas market is useful, because traditional negotiation processes 

15 fail: there is always a powerful motivation on the part of a commercial entity to steal the 

16 idea and leaving the originator with no compensation, consideration or acknowledgement. 

17 With SDI an individual with an idea is able to place an idea in the marketplace, so that 

1 8 commercial vendors can provide SDI with information regarding their business, to allow 

19 SDI to value the idea autonomously on behalf of the vendor; i.e. on the basis of current and 

20 fixture commercial research initiatives. SDI computes the estimated requirements and 

2 1 economic value that any given submitted idea would have towards that vendor. 

22 Human experts may play a role in evaluating the value of an idea to a vendor. In a 

23 busy idea market there is the need for a scheme by which ideas are automatically routed to 

24 the most appropriate individual experts to evaluate that idea, which is either within SDI or 

25 within the organization which most likely needs the idea. This routing scheme could be 

26 based partially upon attributes associated with experts and features extracted from the 

27 description of an idea. 
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1 13.2.2.8 _Negotiation Intermediation 

2 Given the above general application framework for SDI in which commercial 

3 entities can securely entrust to SDI with their commercial marketing and technology related 

4 focus and objectives, it is a reasonable extension to further extend this data Rich 

5 framework to enable the above described exchange of confidential information among and 

6 between commercial entities to occur not merely in a purely general and non-dynamic 

7 fashion but to additionally incorporate timely information which may represent time 

8 sensitive and critical decision processes which are in the process of occurring at that 

9 particular time and which may be relevant to the mutual strategic discussions and 

10 negotiations between the entities. A very important application/example of this approach is 

11 the fact that commercial entities may be in the process of negotiation with another 

12 commercial entity regarding particular commercial or technology related opportunity very 

13 often (the majority of instances) the nature of these discussions and particularly the identity 

14 (identities) is maintained as strictly confidential information throughout the discourse of 

1 5 these negotiations. Though the following solution may not be appropriate for all cases of 

16 confidential discussions and negotiations there may be particular instances in which a 

17 knowledgeable "expert" within SDI could be confidentially kept apprised of the details of 

1 8 the negotiations as well as progress and any obstacles as they occur. Of course, SDI and the 

19 expert have additional knowledge about the general and temporally specific needs and 

20 objectives of other third parties who may be potentially interested in the nature of the deal in 

21 progress. 

22 At a general level there may be the opportunity for the expert to provide high level 

23 probing questions to the appropriate parties or decision makers within the other commercial 

24 entities which certainly do not reveal any identifying information about the negotiating 

25 parties, do not reveal any proprietary technical details which would compromise the 

26 proprietary nature of this information and enable the identity_(identities)of the parties to be 

27 indirectly inferred in this regard. However, business terms and perceived value exchange 

28 may be thus conveyed as limited facts in the abstract or possibly in more detail depending 

29 on the particular situation. There may also be particular critical junctures and impasses in 

30 the negotiation at which point the vendor may be compelled to concede. These points may 
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1 be critical points at which it may be opportune for SDI to initiate or go into a deeper level of 

2 investigation with the other parties regarding the critical issues at hand. The above 

3 precedent may even be replicated among all other third parties, which SDI deems to be 

4 potentially receptive and legible to the prospective deal. This process is analogous to time 

5 of purchase competition in that if'when another potential deal is identified fi*om another 

6 entity which is more desirable the original negotiating party may be informed (as well as 

7 possibly the other relevant parties). This process may be reiterated as well. 

8 13.2.3. _A Real Time Experts Market 

9 In this section we suggest a market for expert opinions, in which users with an 

10 information-need are matched in real-time with "experts", that are prepared to provide 

1 1 information and opinions in retum for a payment. This economic approach can be used for 

12 example, if a vendor would like a user to provide feedback about its products and/or 

1 3 services: the user becomes an "expert" and can receive payment in terms of discounts in the 

14 future. The information in SDI can be used for the automated selection and user targeting 

1 5 of tasks, based upon profile information. 

16 We can allow users to be identified by another individual in which there are 

1 7 mutually beneficial opportunities for both parties to interact and -terms/conditions for the 

18 disclosure to the other party is defined within the user's data disclosure policy. For 

19 example, issued patent 6,029,195 Herz, et al System for Customized Electronic 

20 Identification of Desirable Objects describes a "system methodology by which users are 

21 able to find a knowledge domain expert to answer a query, deliver personalized advice for a 

22 particular issue or problem to which they are extremely knowledgeable about, and provide 

23 references to other information sources. 

24 The parent issued patent U.S Patent # 5754939 describes techniques for 

25 identifying experts on a communication network based upon their profiles and the search 

26 profile of a requester. In the present methodology we fiarther provide an economic 

27 mechanism to encourage well qualified experts to provide options, and find experts. 

28 There is currently within the prior art economic incentive schemes which can be adapted 

29 and effectively employed in this case in which it is possible to reward very well qualified 

30 (and truthfiil) opinions on a very broad range of issues and domains in which the 
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1 accuracy of the ultimate outcome of a particular opinion is directly rewarded. This 

2 mechanism effectively insures the quality of the referrals/recommendations and is 

3 considerably more efficient then immediate payments for referrals where quality and 

4 truthfulness of the expert advice cannot be audited prior to payment, thus creating a 

5 disincentive to provide truly "valuable" advice. 

6 The system of SDI can forward requests for information to experts within the same 

1 system as time-of-purchase competition, SDI acts as a CLEARING HOUSE for requests for 

8 information, and experts can bid to provide responses. The system of SDI can also help 

9 users to choose between experts, based on proficiency profiles that are derived fi-om the 

10 value of information that experts have provided to other users. We can allow experts to bid 

1 1 for the right to annotate and provide ratings for particular pieces of information, products, 

12 services, etc. 

13 In a web annotation example, as users provide annotations and recommend links, 

14 and other users provide feedback about annotations, then the system of SDI can build a 

1 5 "proficiency profile" for a user, to indicate the ability of a user to add value to the browsing 

16 experiences of other users. The information retrieval and document clustering methods as 

17 taught within the parent case #57549398 provide a statistically sound methodology to 

1 8 develop a user profile that predicts the "proficiency" of a user to provide recommendations 

1 9 about objects that fall in particular clusters. 

20 In the economic variation we can allow agents to bid for the right to receive high 

21 quality recommendations, at least in the case where recommendations are new and cannot 

22 be duplication on the basis of current recommendations. We can create an "experts market", 

23 where experts are assessed on their ability to provide quality to previous agents, as noted by 

24 those agents. SDI could also suggest a list of content categories that an expert might 

25 consider operating within. We can also apply the rapid profiling techniques in the parent 

26 case to assess a user's expertise based on his/her response to a set of questions. A rapid 

27 profiling tree is essentially a decision tree, which can be used to present a sequence of items 

28 to which a user "responds". The rapid profiling method enables a user profile to be 

29 constructed in the shortest possible sequence of inquiries to the user. In this case, the 

30 response is the user's recommendation links (which are then judged). With the benefit of a 
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1 comprehensive proficiency profile of the user the system may identify and present items to 

2 the user automatically (if s/he is amenable) for which the user is predicted to be proficient. 

3 We may pay individuals based on bonus points or coupons with future redeemable value 

4 across a network of vendor sites (e.g., within that particular SDI recommended alliance of 

5 vendor sites which may be dynamically generated for each individual user). Experts that 

6 include links to pages could be paid for the value of increased value based on those links. Of 

7 course SDI can continue to ensure that users are not motivated to provide biased links 

8 because of this type of financial incentive, continuing to monitor how useful other users find 

9 the links and recommendations. 

10 The market for experts and real-time information filtering can be applied to new 

1 1 content. Via collaborative-filtering based systems we can push new articles to appropriate 

12 users, so long as experts provide initial scores for articles. In such an automated news 

13 system users that represent particular types of customers can be paid to provide ratings of 

14 incoming news articles. Based on profile information these ratings then imply ratings for the 

15 customers of a news cutting service, therefore allowing filtering of news to the most 

1 6 appropriate and narrowly defined subgroup of users of interests. 

1 7 It can further be combined within the fi-amework of the present incentive scheme to 

1 8 encourage users who tend to individually find news, which is of particular relevance to their 

19 daily lives and unique interests to proactively collect information (including but not limited 

20 to digital recorded audio/video) and provide that information to news distribution systems. 

21 Collaborative filtering leveraging both the overall quality/interest of user content as well as 

22 of the nature of the new content which that particular user is providing can provide a nice 

23 method to filter and channel this information. 

24 The above bidding scheme enables a highly individualized incentive driven 

25 distributed news reporting system, which can significantly increase the availability of 

26 content for individuals. Users can continue to rate specific stories that they receive, so that 

27 the profiles of users are dynamically updated, and experts can be swapped in and out based 

28 on the assessed value and accuracy of new clipping. 

29 The present clustering techniques may also be used to identify users that are able to 

30 provide useful new content. This content may range from commentary, opinions, critiques 

3 1 and comparisons, but can typically be more robust than simple annotations, and may include 
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1 articles by knowledgeable experts providing pertinent or new information which is 

2 interesting or timely within the present context of the site. The predicted value to the 

3 particular cluster of users is a function of both the object profile of the original page as well 

4 as (perhaps even more relevantly) the object profile of the new content. 

5 We can also have experts bid for the right to participate in online discussions, where 

6 experts are selected that are polarized on a current controversial issue, in order to fiercely 

7 debate a particular issue. We could also select representative group members, fi-om within 

8 different primary clusters, based on the domain knowledge, skills, life experiences, 

9 preferences social/political or religious view or opinions of users, to engage in an active 

10 dialogue, interview or debate with the high profile individuals. Other members of clusters 

11 can be invited to observe a discussion, and to provide feedback to maintain information 

1 2 about the quality of experts. 

13 13^2.3.1 ^Expert Sales Consultants 

1 4 A static application of the information in the system of SDI to on-line sales is to use 

1 5 the information to generate an ideal list of prospects for sales agents, and then help sales 

16 agents to target products and offers to individuals. We can provide information to 

17 salespeople about users, according to the profile of a salesperson (and reputation), and a 

1 8 user's personal terms for data-disclosure. Similarly, a system of SDI in conjunction with tiie 

19 methods taught in co-pending patent allow automatic detection of salespeople close to users 

20 (via an anonymous location market). The market allows matches to be made, but does not 

21 reveal anything about a user that the user does not authorize. User profiles can also be used 

22 to determine responses to offers and products (see the methods in patent application 

23 "System for the Automatic Determination of Customized Prices and Promotions" [ INSERT 

24 PATENT OFFICE NO U.S. Patent Application #10/262J23 l SDI allows profiles to be 

25 built fi-om extended interactions across multiple vendors, so long as the user authorizes the 

26 same pseudonym for each vendor. 

27 As an example, consider an SDI-based system for contacting prospective customers 

28 and making personalized offers. The first step is to access the SDI pseudonymous user data 

29 base and identify the ideal audience of prospects for a product offering(s); then the second- 

30 step is to use the pseudonymous request protocols to request a sales call dialogue (or some 
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1 other form of dialogue) with the target prospect. The user's agent will then typically request 

2 further information (either before or after allowing access to even the pseudonymous profile 

3 database) such as what is the type of product (even possibly further associated details), and 

4 an associated approximate price range (which may be either negotiable or non-negotiable). 

5 The user may agree to allow a communication in the form of a targeted email that contains 

6 information content, or a link to a web page with additional information. This Web link 

7 and/or the e-mail can be personalized for the user, based on the user's profile. An email link 

8 on the web page could be used for direct Web-based IP telephony connection to the user 

9 (seller). Alternatively, a user's initial contact to web site could include encoded information 

10 about its profile, where the vendor can only receive the profile information if it can 

1 1 demonstrate certain profile properties. Large customers might then also receive specially 

12 hand-crafted information, if it is indicated that there is a large potential contract. The user is 

1 3 provided witii a unique URL, or preferably the site is initialized so that when its pseudonym 

1 4 is provided the offer is customized appropriately. 

15 A more interesting example is a dynamic "experts markef , which is an application 

16 of dynamic matchmaking between users in real-time based on their profile information is to 

1 7 a system for a virtual sales force. Users can also use seller profiles, to decide wheflier or not 

18 to interact with a seller. The profile of a sales-person may show correlations between 

19 product sell-rate and the type of product, type of user, that the sales-person interacts with. 

20 Initially seller profiles may not be very well related to sales-performance, but instead based 

21 on general SDI-style profiling, and wider (e.g. professional) credentials. Later, as a seller 

22 gains experience, profiling can be based on a sales-person's track record (and this will 

23 subsume other information). 

24 A consumer can indicate its preferences in its profile for "approach" by a sales 

25 agent, and then a match can be made with an appropriate sales agent dynamically in real- 

26 time via the above agent-agent matching and introduction process. The sales agent may be 

27 compensated when introductions lead to sales. The user could also receive preferential terms 

28 for a purchase, that can be realized online or in a physical store via coded print-coupons. 

29 This code with the time and identity of the (prospective) buyer as disclosed by the sales 

30 person. The buyer must authenticate that sales interaction (e.g., via disclosure of the code). 
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1 The criteria for matching the seller with a qualified prospective buyer is represented 

2 by client-provided meta-information associated with profile information, and can be used 

3 within a collaborative filtering system to determine the level of predicted interest which the 

4 buyer is likely to have for the items offered by a particular seller. The product space 

5 predicted to be useful to a buyer can be predicted based on his/her profile, browsing 

6 patterns, etc. Context can also play an important role, for example is the buyer currently 

7 engaged in browsing or buying related activities, can the buyer be persuaded to buy now 

8 with a good offer, or will the buyer never buy until he/she has performed more product 

9 search? 

10 Vendors may also compete for sellers based on the profile information and success- 

1 1 profiles of a seller, and a perceived match with the products offered by the vendor. A seller 

1 2 may also work for numerous categories of products/services and vendors. Finally, the sellers 

1 3 in the market could enter into a market-based system, so that buyers bid for the right to work 

1 4 with a particular sales person. 

1 5 Two other aspects of the present access to or by a prospective sales person include 

16 (1) In an off-line context, we can use a LEIA-based method to identify buyers and sellers 

17 with similar profiles in physical space, and dynamically reroute their paths to allow a 

1 8 meeting to discuss a possible trade. 

19 (2) Personal "Chemistry". In addition to a pure "product-space" set of profile features, the 

20 system might also consider wider compatibility between sellers and buyers in making 

21 meetings, for example choosing to introduce agents that share similar hobbies and spare- 

22 time activities. 

23 The problem might also be informational: e.g. find an expert on ancient American 

24 civilization for purposes of writing an article, or answering a specific question. Relevant 

25 information might include the expert's resume, and the expert's knowledge expertise profile 

26 developed from his/her activities in responding to previous queries. 

27 We might use a "fiizzy rule" to determine whether a user has a profile that is 

28 sufScientiy close to an agent's goal profile to allow an agent-agent interaction and exchange 

29 of information. When the rule does not quite fire the system of SDI might also seek to 

30 clarify points of uncertainty, requesting further information until there is enough information 

3 1 to decide on the appropriateness of a contact. 
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1 It is clearly desirable to automate information exchange as much as possible, so that 

2 the first thing that a user knows about an agent-agent negotiation is after a deal has been 

3 struck that satisfies a user's preferences. 

4 One approach is to perform data analysis on a large data set of users who share very 

5 similar profiles and to perform very similar actions and behaviors in all aspects of their 

6 successful interactions with other agents. The data analysis might also be used to suggest to 

7 agents when there is a problem, and when it will be usefiil for a user to provide more 

8 accurate information about what types of actions it is looking to perform in certain 

9 scenarios, i.e. when the current level of confidence about the action desired by the user is 

1 0 low. to many cases the system might be able to identify with a high statistical confidence 

1 1 level an appropriate action based on the collective statistics of other similar users and 

12 conditions. 

13 When uncertainty exists the system can suggest the actions that see reasonable, and 

14 allow the user to choose one action. A natural language interface might communicate to the 

15 user the system's interpretation of tiie user's current behavior, the statistical correlations 

1 6 with recommended autonomous actions. 

1 7 For example, if a user is at home in his/her study between 9-1 1PM she/he is likely to 

1 8 be engaged in work relative to a research publication tiius an invitation to other colleagues 

19 in this area will be extended and/or communication requests accepted to contact the user 

20 accordingly under these conditions. The system may detect other conditions in which the 

21 user may reject requests to correspond with tiiese individuals, when the user's current 

22 context is inappropriate. Given this kind of feedback about actions, a user may now 

23 periodically review and adopt rules. For example, a user could also state that whenever a 

24 user has recently corresponded with a particular individual then the user is in a social mind- 

25 set, and would rather not engage in work-related activities. 

26 There are numerous potential inputs .to the system which could be considered in 

27 predicting what agent-mediated actions are, in fact, appropriate. The techniques of the 

28 parent patent application [INSERT US PATENT NO] allow us to make strong inferences 

29 about the particular mind set of a user; i.e. reflecting present interests or preferences which 

30 the user is likely to be receptive to, presentiy based upon such clues as who the user is 

3 1 presently interacting with, the content profiles of the present real-time dialogues, e. g, typed 
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1 or spoken through a communications network, (or simply passively collected off-line), the 

2 object profile of documents or web pages being interacted with. Activities may further be 

3 inferred by such indicators such as the particular physical location of the user (i.e. within a 

4 LEIA-based system [INSERT US PATENT NO]): the particular sequence of movements, 

5 the particular types of devices with which the user is interacting, etc. 

6 More complex rules are certainly also conceivable, such, as the user will not interact 

7 with other users except under specific conditions, i.e. I will only talk to a user of type X 

8 (salesperson) if I have done nothing for the past 10 minutes and have nothing scheduled in 

9 my meeting planner. Such rules are initially hard-coded, but can then be leamed and/or 

10 validated based on inductive learning: i.e. is it the case that I am more receptive to certain 

1 1 types of activities at particular times of the day, etc? 

12 In some cases SDI may identify individuals whose personal data revelation requires 

1 3 certain minimal requested personal data fi-om the other party as a condition to an interaction, 

14 and SDI can again be used to automate this process is if it is well explained in a user's 

1 5 profile. When confidence is low the user may request additional information (anonymously, 

1 6 via SDI) and make a personal judgment in real time as to whether to continue an interaction 

1 7 and reveal more information, and whether or not an introduction is desirable. 

18 When information is valuable and sensitive, then it is important that initial 

19 information exchange is via SDI, without the end-users receiving explicit information. In 

20 overview, a user states the types of conditions that are necessary for a continued one-on-one 

21 interaction, and the system of SDI states whether or not conditions have been met without 

22 giving any specifics. Of course the identities of the agents are not released until 

23 introductions are made. SDI can track all activities, behaviors, and correspondences in 

24 which each user engages, and build a complete picture of the profile of a user with regards 

25 to interactions and the exchange of information. SDI may also use human experts to 

26 interpret requests and build rule-based systems to semi-automate decisions and automate 

27 easy cases. 

28 A simple but related application could be applied in the e-commerce domain to 

29 connect on-line customers with human sales representatives. A current version of this, 

30 offered by eStara, uses Internet-based telephony technology to enable browsers of on-line 

3 1 catalog pages to talk with knowledgeable sales representatives, simply by clicking on a 
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1 ''talk" button displayed on the web page of interest. Integrated into this methodology is 

2 the ability of the sales representative to identify which particular web page the visitor is 

3 currently viewing, thus enabling him/her to more efficiently and intelligently assess the 

4 needs of the customer. 
5 

6 This methodology could be further enhanced through the tracking of the user's 

7 pseudonym and associated profile data provided via SDI, which represents a far richer set 

8 of information than that used by eStara (which only makes use of the current web page 

9 identifier). A customer's full profile can include demographics, previous purchases, 

10 previous web-site visits, physical measurements (for clothing purchases), health history, 

1 1 and income. 
12 

13 In a sense, individual sales representatives also have personal profiles; these can 

14 include experience, demographics, languages spoken, previous customer contacts, and 

15 product knowledge. An especially important factor is a representative's relative success 

16 in selling particular products - this history may reflect various personal strengths and 

17 weaknesses. 
18 

19 When the customer clicks on an on-line catalog's "talk" button, his profile is 

20 immediately forwarded to the sales system, along with the particular product he is 

21 viewing. Matching algorithms (as described elsewhere in the patent) then choose the 

22 most relevant sales representative currently available for on-line communications. The 

23 representative is presented with a screen containing facts pertinent to the sale (including 

24 product details and extracts of the customer's profile), and he is then linked to the 

25 customer via Internet telephony. 
26 

27 Extensions to this technology include: 

28 

29 1 . Customized Price Discounts and Promotional Offer Recommendations 
30 
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1 By combining the predicted affinity of a user toward a particular item with price 

2 elasticity metrics (gleaned from his/her transaction logs and from real-time feedback 

3 provided to the system by the sales representative (e.g., the customer appears to be in a 

4 happy and spending mood)), it is possible to calculate a "personalized" price that 

5 optimizes the expected profit fi-om a sale. This optimized sales price is communicated to 

6 the sales representative, who is authorized to offer the discount to the customer. Digital 

7 coupon technology would be used to ensure that the offer is redeemed by that customer 

8 exclusively, and within a pre-set time limit. 
9 

10 2. Automated Sales Representative Support 
11 

12 While interacting with the customer, the sales representative is presented with 

1 3 constantly-updated screen that provides information to support his sales effort. 
14 

15 a. Rapid Profiling 

16 If not much information is known about a customer, the representative 

17 would be guided through a script designed to elicit the maximum amount of 

18 information in the least number of questions. This information would be used to 

1 9 rapidly supplement the customer's profile. 
20 

21 b. Customized Sales Scripts 

22 The representative's scripted sales pitch would be dynamically adjusted to 

23 reflect the profile and current attitude of the customer. For example, if a customer 

24 is having trouble making a decision to buy (which could be detected by voice 

25 analysis tools and the total time elapsed in the transaction), especially persuasive 

26 text, geared to the customer's demographic, would be presented to the 

27 representative. 
28 

29 c. Additional Offers 
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1 If separate, but related, products are predicted to be of special interest to 

2 the customer, the sales representative is alerted so that he can promote the 

3 additional offers while still in contact with the customer. 

4 l^Barter Exchange for Personal Favors 

5 hi this variation, SDI can act as an exchange where professionals can exchange 

6 personal favors, for example one agent might indicate that it wishes to be introduced to 

7 another agent that can help with a particular professional problem. Both buyers and sellers 

8 can submit their respective needs, for example the need for a particular personal or 

9 professional favor, and in the case of sellers the ability to provide favors. Other personal 

10 information, for example: professional, political contacts, organizational affiliations, areas of 

1 1 competence, professional responsibility and spheres of influence etc. can be confidentially 

1 2 entrusted with SDI and used to make particular types of matches. 

1 3 SDI can initially automatically define appropriate matches between the "buyers" and 

14 "sellers". Given sufficient data, humans may use content analysis techniques to define rules 

15 based upon certain key examples or commonly occurring request and matching solution 

16 pairs. The techniques of the parent patent application US Patent # 5754938 can also be used 

1 7 to refine rules, and create new rules, for the cases in which the level of confidence with 

1 8 introductions based with the current rule set is too low. The mechanism for establishing the 

1 9 value at which favors are sold might involve a bidding scheme, but in this case professionals 

20 may bid a "personal favor" in return for another favor. I.e. the transaction becomes 

21 disintermediated firom the outside economy, with a pure non-money based method for 

22 exchanging favors. A user with the ability to provide a favor receives bids from other users 

23 in need of the favor she/he is able to provide. Of course, the value of a given favor is likely 

24 to be worth more to some individuals than others. 

25 The nature of the favor may range from very small and mundane, e.g., providing 

26 professional or personal advice or answers to a question, or it may be very significant and 

27 resource intensive from the standpoint of the provider, e.g., making a professional 

28 recommendation for a job position or political decision or providing 

29 recommendations/referrals for clients on a professional level or providing business 

30 recommendations to a partner or affiliate regarding a given individual or commercial entity 

3 1 with which to do business. 
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1 The techniques of peer-ratings within a reputation system can be introduced, and 

2 extended to cover a wide array of qualitative descriptive attributes to reveal the 

3 qualifications and ability of an individual, to allow some individuals in the bidding process 

4 to be excluded in an initial "filtering process", because they fall below expected standards of 

5 service and performance. An auction based model may establish a price for a particular type 

6 of favor, and for a particular individual, and therefore users with high performance ratings 

7 could be expected to sell for higher prices than other agents. 
8 

9 4^Barter Exchange For Favors 

1 0 The qualification threshold of the provider of the favor is more important in some 

11 applications than in others. For example, if the favor involves an interaction with a 

12 particular individual for organization (e.g. a political favor) in which the individual's 

13 anticipated ability and qualifications may be a significant factor in the likelihood to achieve 

14 the desired results. And thresholds may be set relating to quality or qualifications in their 

1 5 regard depending upon the relevance of this factor and/or the importance of the favor, which 

16 depends upon the type of favor requested. The bidding process is typically a reverse auction 

1 7 in which the request favor is passed around to multiple individuals (or entities) which SDI 

18 deems qualified for the particular favor requested (thus the lowest price which fits the 

1 9 qualifications criteria is typically the offer which is accepted. In other (perhaps many) of the 

20 barter exchange for favors, the qualifications of the requester may be an important factor for 

21 the requester These qualifications may include, not only professional abilities, 

22 proficiencies and credentials, but potentially much more subtle attributes relating to the 

23 individuaPs interpersonal, social or psychological profile and/or behavioral profile, for 

24 example, how SDI predicts that the individual receiving the favor will integrate and adapt 

25 within a particular professional context and/or interpersonal context which defines the 

26 situation and/or environment with which that individual must interact and/or perform, e.g., 

27 as in a business deal, a professional opportunity, an educational opportunity, social 

28 opportunity, etc. In order for this pre-qualification of the requester to unilaterally work so 

29 as to assure the requestee with the level of confidence and trust in the requester which 

30 approaches that of a traditional favor (in which the requester and requestee are typically 

3 1 extremely knowledgeable and trusting in one another) requires a very efficient and perhaps 
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1 fairly comprehensive reputation system revealing much about the above described personal 

2 and professional aspects of one of both parties. As suggested, in such a system and just as 

3 important, is the trustworthiness of the individual providing his/her opinion about the 

4 credentialed profiles of the parties. Lideed a pohtical or decision maker in a large 

5 organization would be extremely remiss (and perhaps even politically harmed) if an office 

6 or position were provided to another individual (requester) in which weaknesses in that 

7 individual's professional and/or personality later became evident to the detriment of the 

8 organization or political entity, as an example. 

9 It is even possible, that in some cases, the need may exist for a pricing model in 

10 which the individual providing these credentials through the reputation systems is 

1 1 compensated for the task. If such an individual must be fairly knowledgeable and assure to 

12 properly judge professional or subtle personality components, this individual may develop 

13 an independent reputation for effectively and truthfully judging these certain characteristics 

14 on a category or domain basis. If the subset of "judges" is fully distributed and ubiquitous 

1 5 permeating a substantial portion of the population as a default, if the qualifications of the 

16 judge are unable to be validated in advance, it may be preferable to provide payment 

17 following a reasonable level competency and success on the part of the requestee and 

18 requester. Or, in another variation, users are required whenever appreciated (and in 

1 9 accordance with their own judging qualifications) to provide opinions on the individuals- (or 

20 other entities), and they must comply up to a certain quota and with truthful and accurate 

21 opinions in order to maintain privileges to engage in the service (e.g., www.favor.com ) or 

22 other applications or services resulting from the reputation system. It is also, of course, 

23 critical to ensure the judge possesses with regards to the individual or entity with which 

24 he/she is affiliated. In this case, the assumption is that the barter exchange for favors could 

25 cover nearly any type of favor desired by a user and the reputation system is implemented 

26 for most individuals. Of course, tiie present system may also be extended within a business 

27 context in which the favors include those provided by in between businesses. In both the 

28 individual and business application context, it is necessary for the above described use of 

29 privacy policies to dictate what types of individuals or entities a user or organization to 

30 include, exclude or price discriminations against e.g. to various degrees). 
31 
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1 The following section "Agent-Mediated Value Exchange in the Supply Chain" talks 

2 about an economic system methodology in which a "value chain" is established for which 

3 entities may compensate other entities for present or often future value, which is likely to be 

4 sustained as a result of certain actions performed on behalf of that entity. This value often 

5 conveyed in the form of "barterables" could also be provided in the form of "favors" 

6 between the commercial entities (or potentially in a variation, individuals). 

7 13.2.3.2 _A Market for Referrals 

8 Situations fi*equently arise in a variety of contexts of human interaction (whether 

9 social or professional) in which a user may wish to refer the user they are in contact with 

10 to another individual. Often this occurs in a professional services context which a user 

1 1 has a particular need/or other characteristics which make him/her an appropriate match 

12 for the services provided by the other party. Or in a business context, often a user will 

13 forward a business contact or associate to another colleague who is deemed more 

14 appropriate for the particular context and/or scope of business. Likewise, in a personal or 

1 5 social context users may sometimes meet two or more individuals which they observe or 

16 perceive share common interests, goals or beliefs or perhaps possess complementary 

17 capabilities, knowledge, or characteristics. In each of the above scenarios, virtual tags 

18 may provide substantial benefits. For example, the referring user could forward the 

19 relevant portion of the profile and identified need of the user to the referring party whose 

20 user agent may determine the acceptability of the request and/or the priority with which a 

21 communication or meeting could be scheduled (e.g., as could be automatically arranged 

22 by/between the two party' calendaring agents). If the referring party's agent is unable to 

23 make a decision or priority assessment for scheduling purposes) on behalf of the user, the 

24 agent could instead try to contact the individual him/herself for assistance (and statistical 

25 feedback to the system's data model). In order for these types of referrals to be performed 

26 efficiently, the area of expertise required can be specified, and provisions can be made 

27 about the type of referrals that a professional will accept. 

28 We can establish a market model for referring individuals within SDI, to 

29 compensate users for successfiil referrals. With SDI we can create a market that allows a 

30 wide set of criteria, including social/interpersonal skills, moral/ethical values, etc. to be 
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1 used to find good prospects for referral. SDI might also provide information to allow a 

2 system to predict the tasks or professional occupations most suited for a user. The system 

3 can look for correlations between profile data and professional successes, based on the 

4 historical track record of successes and failures. SDI might compute a list of human 

5 descriptive qualities that will secure payment for referrals, i.e. relevant attributes which 

6 SDI infers may be associated with useful types of social or professional individuals. 

7 The scheme might also be used to identify individuals with raw human potential 

8 that can perform well with the right type of training. We might use such a scheme to 

9 discover hidden talent within under-developed or impoverished regions of a country or 

10 the world. 

1 1 13.2.3.3 ^Groupware: Collaborative Project Development 

12 The present system framework is designed to provide a secure infrastructure to 

1 3 allow users who are most appropriate to provide a particular type of contribution, based 

14 on a precise contribution needed for a project. The project may be a collective project, 

1 5 developed by users who have all been introduced to the project within the same context. 

1 6 There is also a role for an evaluative component to compute relevance feedback in 

1 7 qualifying and quantifying the nature and quality of the contribution. 

1 8 We can also use a query-based system to establish a user's relevance to a particular 

19 task, or another user, along the lines of the method in patent "System for Generation of 

20 User profiles for a System for Customized Electronic Identification of Desirable Objects" 

21 US Patent #5754939 

22 Consider the problem of generating a team of individuals to author a document. 

23 This scheme can be deployed across intranets, extranets or the Internet. The degree of 

24 confidentiality provided and produced may determine whether certain credentials are 

25 required, e.g., the individuals belong to certain organizations and are under strict terms of 

26 confidentiality, etc., or whether the document's level of confidentiality is low enough to 

27 enable free access by users on the Internet who may want to, and are able to, usefully 

28 contribute. The idea behind the present scheme is to leverage techniques of natural 

29 language processing and/or information retrieval in order to develop profiles of 

30 individuals based upon the value of their past contributions to documents; for example 
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1 informational content, style of authoring, etc. In a Web-based application the content can 

2 be graphical designed content, perhaps even video segments. Within SDI it is possible, 

3 based on feedback from previous articles, to anticipate how valuable the information is 

4 likely to be for a particular readership. 

5 The problem might also be informational: e.g. find an expert on ancient American 

6 civilization for purposes of writing an article, or answering a specific question. Relevant 

7 information might include the expert's resume, and the expert's knowledge expertise profile 

8 developed fi*om his/her activities in responding to previous queries. Level of expertise 

9 might also include the size of projects performed within a particular specialized area, and 

1 0 relevant education qualifications. 

1 1 13.2.3.4 _A System for Smart Consumer Research 

12 There is a significant need within the field of consumer product creation and 

13 development to be able to more instantaneously, and on a larger scale, collect direct 

14 feedback fi*om a large number of consumers in lieu of much more sparsely populated focus 

15 groups and "product development" experts. There is also a need to better characterize 

16 consumers whose feedback is utilized in any kind of market test analysis. Collaborative 

1 7 filtering can provide a very efficient solution to both of these problems by enabling focus of 

18 feedback from selectively chosen consumers whose attitudes and opinions (and even 

19 marketing ideas) are the most meaningfial and representative of the large segments, 

20 comprising the majority of the consumer population for that product. We can fiirther extend 

2 1 this methodology to determine and measure the "value" of certain individuals in the process 

22 of product assessment, i.e. to identify the "experts" in a particular area. 

23 The information in SDI can be used to identify appropriate clusters of users for a 

24 particular product, so that a prototype or actual product can be presented to users, and 

25 feedback collected. The goal is to collect detailed feedback: across a variety of quality and 

26 consumer satisfaction criteria, more subjective opinions, areas of criticism and ideas for 

27 improvement or modification. The information in SDI on user profiles can be used to 

28 develop appropriate "test sets" of individuals for this purpose. In a cluster-based profile 

29 system, we might suggest that feedback is requested from agents that are close to the 
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1 centroids of a cluster, i.e. the users that best represent a set of users. We can even selectively 

2 cluster users based on metrics to a new product. 

3 Analysis can be used to determine how to market and price products and services to 

4 different clusters of users. The resulting feedback can be useful in determining in what ways 

5 to better adapt the product or modify the concept to better match the preferences and needs 

6 of the nearby larger cluster (i.e., larger market population of consumers) or (in another 

7 scenario) shift the acceptance rate from one consumer cluster with a high affinity to another 

8 with a lower affinity, however, with a larger market potential. 

9 We can use the information in the multi-user SDI database to predict the ability of a 

10 consumer to generate useful ideas for product concepts, improvements or extensions. These 

1 1 individuals typically (but not necessarily, exclusively) will belong to the cluster of the 

12 product. These users could also be used to create and assess various marketing/promotional 

13 ideas. 

14 Furthermore, we might build a system to provide incentives for individuals to 

15 identify commercial opportunities for a commercial entity. Again, profile information for 

1 6 the customer base of consumers might reveal possible synergies, and SDI might be able 

1 7 to derive descriptive summaries as to the type and nature of the opportunities which are 

1 8 best suited for a company, to allow easy future identification. 
19 

20 13.2.4 ^Information Exchange via Traditional Print Media 

21 In this section we note that a personalized offer from a seller to a buyer can also 

22 be executed via traditional print media. We explain how a physical coupon can be 

23 printed, for example at the point-of-sale, or in some shop-based kiosk, or at an ATM. The 

24 coupon can digitally (e.g. Via a bar code) specify terms of a transaction, etc. The co- 

25 pending patent application entitled "System for the Automatic Determination of 

26 Customized Prices and Promotions" further describes the preferred implementation for 

27 implementing customized offers via coupons, -through the use of cryptographically 

28 secure digital coupons which can authenticate the user and be delivered to the user in a 

29 non-transferable and non reusable manner. 
30 
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1 Within the system of SDI we can also use secure user features in the SDI database 

2 to offer special offers to an individual Of course, the vendor that requests coupon 

3 generation based on information about profiles can execute the request without knowing 

4 the profile or identity of the user. 

5 As explained in the top-level SDI description, within the query-execution module 

6 rules can be specified that determine whether a profile is suitable for an offer, and the 

7 type of offer to make; and the system of SDI can automatically furnish the provider of the 

8 profile information with a coupon (as long as that is compatible with that user's requests). 

9 The offer to a user can therefore be flexible, based upon a user's profile. The user may be 

10 given an encrypted code to present to a cashier when it makes a purchase, allowing offers 

11 to be made by vendors that are not on-line, to encourage a user to drive to their physical 

12 stores. More information can be available within SDI, for example to allow a user to 

1 3 receive information about quality ratings of vendors, for the products and services that 

14 have been provided to other users. In retum, the vendor may request certain purchase 

1 5 pattem data fi*om the user. In another variation, the user might enter certain identifying 

1 6 information such as the first several words of the offer, and then receive an email or fax 

17 of a barcode to take to the shop for scanning. 

18 This method of discounting can be extended to users with Personal Digital 

19 Assistants (e.g. palm computing devices) in a store, that can use a scanner to enter bar 

20 codes of products, and then enter into an agent-mediated negotiation to secure a good 

21 price for the product. The user may be requested to disclose certain personal data, if a 

22 "better" offer is to be provided. Again, even in the in-store application the vendor does 

23 not need to receive actual information associated with the user, the processing can be 

24 performed remotely either at the user's ISP proxy server or centrally on a SDI server, 

25 with the vendor providing methods to adjust prices and offers based on a user's profile, 

26 but without seeing the actual profile. 

27 SDI may also implement time-of-purchase competition, soliciting and revealing to 

28 the user competitive offers fi:*om vendors in stores in a close physical proximity to the 

29 user's location. The user could also be prevented with other types of useful information, 

30 including: information for competitive products including (nearby) locations, price and 
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1 functionality for eliciting time of purchase competition as well as previous customer 

2 complaints about each vendor. 

3 Finally, an alternative to dynamic negotiation with the vendor is that price labels 

4 in stores could encode a strategy that the store proposes to use to price-negotiation with a 

5 user, and just download this strategy to SDI and combine it with the user's profile to 

6 compute the final offer. The user receives a validated offer fi-om the vendor, that certifies 

7 that the user with his/her current pseudonym is able to receive the price or discount. The 

8 offer can be encrypted to prevent fraud by the user. 

9 As suggested above, SDI acting on behalf of the user may selectively release only 

10 that information which -based upon the presumed price/offer generation model used by 

1 1 the vendor will elicit a price decrease delivered to that user. Within this price negotiation 

12 process we can require that SDI releases just the right of information to optimize a user's 

1 3 price. This can be part of the understanding with a vendor (even though a vendor may 

14 commit to a strategy up-firont). SDI cannot falsify information on behalf of a user, but is 

1 5 fi-ee to withhold information. 

16 It is certainly conceivable that such a technique could be deployed by vendors, to 

17 allow customized pricing for users as they shop in a store via information encoded with 

18 product identities, and negotiated via profiles stored in decentralized SDI nodes. A useful 

19 default to make the system work for non-SDI based users could be to allow a user to user 

20 averaged ratings on various criteria, annotations, etc. 

21 Extensions of the present scheme could include other delivery media such as 

22 radio, TV, billboard, etc. For example, a web site could be provided to access 

23 information about a digital and personalized coupon, or access could be provided via a 

24 web-enabled cell phone. Printed classifieds could allow a prospective buyer to access 

25 satisfaction ratings via a printed bar-code type device, to allow the user to enter the SDI 

26 database via its personal SDI device. A hybrid voice/telephone approach is also 

27 interesting, where a user automatically discloses certain types of information to the 

28 salesperson, but is left to explain other -features that are not automatically provided. The 

29 LCD/browser of the phone might provide some of this information to the other user. This 

30 is an interesting hybrid: an SDI-enabled but human-mediated information exchange 
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1 system. Profile information can be required of the party placing the call, so that a user can 

2 ascertain what kinds of information should be revealed to the caller, based on its profile. 

3 Social or business related communications via physical mail could apply these 

4 same techniques, with a typical encounter made off-line, but addifional information 

5 provided by SDI in response (electronically), and supplemented as necessary with other 

6 information provided by the recipient of the mailing. As discussed elsewhere in the 

7 patent, the initial contact can be pseudonymous, with agents only identified with mutual 

8 consent. The mailings can be sent directly by SDI as the result of execufing a query. 

9 13,2. 5 ^Resale Markets 

10 It could be useful to extend the system of time-of-purchase to allow individual 

1 1 sellers, in addition to vendors, to participate in requests for products fi*om other agents in the 

12 system of SDL For example, we could allow an individual seller to inform the system of 

13 SDI that it has product X for sale, and that it is happy to submit ask price $Y whenever a 

14 customer within its local geographical area is about to make a purchase of a similar item. 

15 For a one-time price the system of SDI could quite simply incorporate these individual 

1 6 sellers on a continuous basis within a double market for goods and services. 

1 7 The system of SDI could even provide a more advanced service for sellers. An agent 

1 8 might inform the system that it has product X, and that it wishes to maximize its re-sale vs. 

19 usage value. The agent can indicate this time-cost tradeoff to the system of SDI, and then 

20 leave the system to track the average resale price, and determine an optimal time to provide 

2 1 the product for re-sale. 

22 A variation of the resale market could include a "barter exchange" in which the 

23 seller receives another item, typically of comparable value, from another seller. I.e. agent 1 

24 can state "I will barter A for B", agent 2 can state "I will barter B for C", etc. and the 

25 marketplace of SDI can look for a closed-loop of barters, such that every agent is happy. 

26 The user that buys a good can be an "advertiser" in a resale market, and other users 

27 subscribe and specify controls over the personal information made available to 

28 sellers/buyers. We can use a variation on credentials to act as "digital deeds", such that the 

29 system of SDI validates when a product was purchased by the user, and whether it was 

30 new/used. This takes much of the uncertainty out of re-sale markets because then buyers are 



Page 339 of 381 



SUBSTITUTE SPECIFICATION 



1 sure that the user is not falsifying information and items in the market. Digital deeds can act 

2 as credentials for ownership of a given product. 

3 In fact, an agent can even be automatically asked by the system of SDI on 

4 completing any purchase whether it also wants to have the item listed and available for 

5 resale. If no, she/he is asked if'when at a later times she/he may change his/her mind. The 

6 system can request information from the agent about the price range that she/he would be 

7 interested to sell the item at, and the agent could be presented with a typical price range for 

8 the item. Of course, in a dynamic auction-based system this becomes the "reservation 

9 price", i.e. the lowest price that an agent is willing to accept. Just as buyers can have more 

1 0 information about sellers, the sellers in the marketplace can have more information (even 

1 1 though it remains private) about buyers. For example, a seller can specify rules such as: 

12 "I will only enter into a contract to sell to an agent that has never defaulted on 

1 3 payment", etc. 

14 Similarly, users (e.g. owners of kittens) may have certain personal interests for items 

1 5 of personal or sentimental value, and wish that they are sold to certain types of users. An 

16 interesting extension allows vendors to impose restrictions on the re-sale of items. The 

17 system of SDI can implement these systems for a vendor, so that at least within SDI 

1 8 products of certain types (e.g. software products) are not sold second-hand to other users for 

19 cheap duplication, hiformation goods can also be protected at source — for example with 

20 digital watermarks to prevent unidentifiable duplication. 

2 1 Another variation is an auction scenario, where a seller brings an item to market, and 

22 buyers compete for the item. A professional, that makes a living by buying items and selling 

23 them on, might like an exclusive SDI-based auction site. Within the system of SDI we can 

24 support a network of auction-sites, that push agents around between sites and revenue-share, 

25 with source web-sites providing shares of revenue achieved in subsequent purchases on 

26 other sites. In another variation, the operator of a small site may be linked from a larger site, 

27 and provide a share of revenues to that larger site. SDI has a couple of important roles: 

28 monitoring purchases and ensuring that contracts are fulfilled, and also estimating the value 

29 of links if an up-front price is to be negotiated, based on information about the profiles of 

30 streams of customers to a particular site. 
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1 The information in SDI can be used to allow disintermediation of consumer-to- 

2 consumer markets, with agents able to reach ideal prospects based on personal information 

3 stored in the shared database, make an anonymous offer, and the consummate the trade of 

4 possible. This is likely the way of the foture in this consumer-to-consumer market. Just as a 

5 vendor in current e-commerce systems can store information about its own user-base, and 

6 use that information to send personalized offers to users, within the system of shard 

7 information in SDI all agents can share information with all other agents, and the playing 

8 field is leveled. Users can query the pseudonymous user profile data and (if permitted), gain 

9 direct personal access to appropriate target customer prospect. 

10 Conversely, prospective customers who are interested in a particular item(s) may 

1 1 query and access the database of users who are knowledgeable regarding that particular 

1 2 product/service (which may possibly be under a pseudonym), and also accessible to the user, 

1 3 i.e. available at an appropriate time and in an appropriate location. 

14 13.2.6 _Transportation Example 

1 5 Another application of user profile database, in the case that the database contains 

1 6 also real-time information, is in an application to transport scheduling problems. The traffic 

1 7 systems in many large systems are congested. Via the system of SDI it would be possible to 

1 8 allow agents to represent the wishes of their uses within an SDI-enabled mechanism that 

19 controlled access to certain lanes on highways. The goal might be to control the flow of 

20 traffic, such that users agree to pool vehicles based on similarities across planned trips, and 

2 1 users also payments in return for the right to travel at certain times and in certain lanes. The 

22 goal is a more efficient system that maximizes the sum value to all agents. 

23 Tte- his is an example of a more general application area, where agents can look for 

24 opportunities to change their actions and behavior in return for higher system efficiency, 

25 and/or payments. We describe below an application to user agents negotiating on behalf of 

26 individuals ("travelers") to optimize the efficiency of a shared transportation system. The 

27 fundamental idea is to embed multi-user awareness into the basic fabric of a transportation 

28 system, -in which the system aims to maximize the efficiency of the system by allowing 

29 payments between individuals. 
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1 To accomplish this task, the system must be able to anticipate both the immediate 

2 direct effects, a particular accommodative action will have on another agent(s) (mobile 

3 entities) as well as the indirect (cumulative) effect on the other agents and the associated 

4 time delay impact on each agent and on the entire transportation system as a whole. 

5 The techniques of the LEIA can be efficiently employed in tracking the present and 

6 anticipated activities, location and movement patterns of individuals who are in the process 

7 of traveling to a destination via simple or multiple modes of transportation, e.g., any 

8 combination of the following, i.e., pedestrians, automobiles, taxi, train, and bus (including 

9 public transportation). LEIA can be applied in both scheduling the flow of traffic for 

10 transportation media which are not subject to fixed time schedules (cabs, autos, pedestrians) 

1 1 as well as to dynamically improve overall efficiency of the movement patterns in order to 

1 2 assure that users on a collective basis arrive at their desired destinations with minimal delay. 

13 The system of SDI can implement a real-time market where agents make and receive 

14 payments in retum for changed actions firom other users. For example, agents with high 

1 5 priority may be prepared to pay more than other agents for the right to enter a highway at 

1 6 any particular moment in time. 

17 The market pressures at any point in time are between the marginal cost to an 

1 8 individual for changing his/her plan, and the cumulative marginal benefit to other agents in 

19 the system. Within incentive-compatible mechanisms, such as the regular price-based 

20 market place (e.g. the Walrasian tatonnement model) with enough agents, then it is optimal 

21 for an agent to reveal its true value for different outcomes to the marketplace, and the system 

22 of SDI in "clearing" the market can maximize system efficiency. 

23 The central contribution of the SDI system is that it acts as a trusted auctioneer, 

24 receiving information fi:-om agents, and implementing an outcome based on that information 

25 without releasing that information to other agents. All that agents see are requested actions, 

26 and payments received or payments to make. 

27 We could model a core sample of individuals on an active basis to determine 

28 implied valuation fiinctions for different types of users, based on feedback provided by those 

29 users about how happy they are at any point in time. Within an incentive compatible system 

30 it is optimal for an agent to have a truthfiil and complete representation of its valuation 

3 1 fiinction. The problem is to discover that valuation fionction. Any help from SDI, via data 
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1 mining techniques (i.e. similarities between my profile and the profile of another user that 

2 has rated his/her happiness) can be beneficial in reducing the costs of participation in such a 

3 scheme. Then, before taking a joumey, the user could provide some explicit information 

4 regarding the nature of the travel, for example the level of importance in minimizing travel 

5 time, whether the trip is business or sightseeing, the time of day, etc. With this information 

6 the system can assess the user's valuation fiinction, and then have the user participate within 

7 the market, and secure a plan based on actions fi-om all agents. The system might compute 

8 price thresholds, that represent different things the user can achieve for different prices. The 



9 system based upon its determination of situations/context can presents the price and time 

1 0 and urgency inferred for a user prior; which can be reviewed and corrected by the user. 

1 1 With this profile information, the auctioneer can now compute prices to clear the 

1 2 market and maximize economic efficiency in the system; taking the following approach: 

13 1. Armed with statistical information about the users of the transportation system e.g. 

14 the highway for the next hour, compute static (fixed) prices for different options. 

15 The goal is to maximize the efficiency in the market through a simple pricing 

16 mechanism, that is computed based on information provided to the auctioneer in 

1 7 advance. 

18 2. Announce the prices, and allow users to use the system as they desire, with 

19 appropriate payments made. Payments can be readily extracted fi-om agents via 

20 automatic toll systems. 

21 Of course over time the performance of such a system could be optimized, as the 

22 auctioneer (the SDI marketplace) learns about consumption patterns of the agents over time. 

23 One way to provide incentives for agents to provide information to die system to allow up- 



24 fi-ont computation of usefiil prices to support an efficient outcome would be provide 

25 discounts to the agents that provide information. When such a system works well then 

26 roadway traffic can be controlled, congestion controlled, via an automated price-based 

27 system. Additional information made available fi*om within SDI -might allow adjustments to 

28 prices, based on unexpected flows of traffic. Just because the prices are optimized once up- 

29 fi-ont, based on projections, and announced to agents using the system; it can still be possible 

30 to adjust prices during any particular period — so long as there is a method for that feedback 

3 1 to alter the actions of agents, i.e. there must always be an alternative to make such a system 
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1 work. Consider a two-road system, one shorter and one longer, then the longer route would 

2 be priced less than the shorter route, and the price differential adjusted based on current 

3 levels of congestion. 

4 Again, to clarify, SDI has a key role in this system. Agents are only prepared to 

5 reveal valuation and trip data within a system that carefully protects their privacy, and 

6 controls that information. 

7 Via the optimization performed to compute appropriate prices the model takes into 

8 account the effect on congestion that consumption decisions have, i.e. there is a relationship 

9 between the value to an agent that selects option A and the number of agents that select 

10 option A. The auctioneer needs a model of the transportation system itself to perform this 

1 1 type of computation. Essentially, we compute the fixed point of a non-linear system of 

1 2 equations. Stochastic optimization techniques are suitable for such a calculation. 

13 As the system collects more data it can be less important to require explicit 

14 information from agents within the system, unless it is believed that there is a special 

1 5 situation about to occur (for example a Flyers game), which will have unusual effects on 

1 6 traffic patterns. 

17 Co-pending patent application entitled LEIA-TR describes flexible tools and 

18 automatic traffic ticketing which could be integrated in to the same transaction 

19 infrastructure. SDI would provide a methodology to elicit information from agents, and 

20 dynamically set the price of traffic tickets and parking meter tolls to maximize the 

21 performance of a City's parking resources. For example, one goal of the transportation 

22 authority can be to optimize the amount of revenues it can achieve, by charging more during 

23 "high-demand" travel periods. 

24 Extensions of the present scheme could include coalition discounts, where coalitions 

25 of users can negotiate discounts based on group purchasing power (let us all use your system 

26 for a 10% discoxmt or we will use an altemative road system). The coalitions may be formed 

27 automatically within SDI using shared profile information, allowing agents with non- 
28 competing interests to "pool their buying power". Finally, it is interesting to note that users 

29 who share identical travel objectives can be encouraged to share vehicles, and/or public 

30 transport can be provided as altemative means of transportation on a dynamic basis. 
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1 13.3. _Client-Side Data Mining Applications 

2 Finally, we describe applications of client-side data mining, where the private 

3 information about an agent remains on its local client machine. Personalized of services and 

4 products is performed by pushing methods to the client machine, where the methods 

5 compute based on local profile information the most appropriate information for the user. 

6 This is very useful because the user retains absolute control over his/her profile information, 



7 but can still receive the benefits of personalization. This is an extension of iamworthit: users 

8 still provide profile information to the central database, to allow central queries and to 

9 receive value for that information, but never release identified information to a vendor. 



10 13.3.1 _Client-Side Personalization 

1 1 Client-side personalization allows vendors to push personalization rules to client 

12 machines that are special queries which use information store in a local client profile 

13 database to provide a user with personalized information and/or services. The 

14 personalization rules use locally stored profile information to compute an optimal product or 

1 5 service, or to allow a vendor to configure a virtual shop fi'ont. The answer to a query is 

1 6 returned to a vendor, to allow the vendor to push suitable commands to the client to enable 

1 7 appropriate displays to be created on the device with which the user interacts with the client. 

1 8 __Client side personalization is useful within the system of SDI because: 

19 a) It allows vendors to leverage profile information across multiple profiles that 

20 belong to an individual without explicitly receiving the information. 

21 b) It provides users with the convenience of using their true identities in payment 

22 and specification of delivery addresses for goods, because vendors do not need to 

23 receive any information about the profile of an individual except that which was 

24 learned during the transaction. 
25 

26 Although we describe methods to allow anonymous and/or pseudonymous payments 

27 and physical mailing of packages, through the use of third-parties or cryptographic 

28 techniques, it is usefiil to allow users to provide true identities because this fits better with 

29 traditional methods of business. 
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1 Personalization rules select the most appropriate information and products to display 

2 to a user. The client machine computes a selection, and responds to a vendor with its 

3 selection, so that the vendor can push personalized content and make customized offers. The 

4 traditional method of personalization has a user push profile information to a vendor, and 

5 the vendor push personalized information to the user. The provider can learn information 

6 about the preferences of the consumer, perhaps more information than the consumer trusts 

7 the provider with, given that the provider might sell the information to other agents, or use 

8 the information to determine the identity of the consumer. 

9 In safe personalization the vendor pushes its evaluation method and generic 

10 information to the consumer. This provides the same level of personalization, but without 

1 1 releasing any explicit preference information about the user's preferences to the provider. 

1 2 The vendor can still perform collaborative filtering in the central SDI data warehouse, for 

1 3 example with anonymous profile information or without receiving the information explicitly 

14 but submitting a collaborative filtering program directly as a query. With safe 

1 5 personalization the user can (a) receive financial rewards for his/her profile information; (b) 

1 6 provide profile information to allow collaborative filtering but retain ownership over that 

1 7 information; (c) receive targeted products and services. The method is illustrated in Figure 

18 19. 

19 The only information received by the vendor is implicit preference information 

20 based on the products or services that the consumer chooses as most appropriate. As a 

2 1 default, a user might choose to use a persistent pseudonym with a vendor, so that the vendor 

22 can collect profile information about the user across a number of interactions. The system of 

23 SDI also allows vendors to customize information on the basis of a user's transactions with 

24 other vendors, browsing activities across the web and also wider demographic information, 

25 all of which can be maintained at a user's client for safe personalization, and pushed to the 

26 central SDI data warehouse for collaborative filtering type applications. 

27 One draw back for a vendor is that it provides the agent computer with methods to 

28 target information. For example, Amazon.com must provide the agent computer of a 

29 consumer with a method to allow it to personalize fixture transactions. The method is 

30 valuable information to Amazon. However, to protect this method firom other possibly 

31 competing vendors, e.g. www.bamesnoble.com, Amazon can use encrypted codes to 
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1 represent the results of a profiling query on the user-side profile database, and these 

2 encrypted codes can even change periodically, or fi^om user to user. 

3 In the basic variation of personalization the vendor pushes a personalization query to 

4 the agent, to be executed on the agent's computer in the client-side query-execution module 

5 on the basis of the agent's single-user data warehouse. This is illustrated in Figure 1 8 above. 

6 The vendor then receives the result of the personalization query, which might state for 

7 example: "this user is very like my concept of what user Mary might want to buy", where 

8 Mary is an aggregate user that represents data mining the vendor has performed. 

9 Alternatively, the result might say something more direct like "show the user product X", or 

10 make special offer "Y". Whatever information the vendor receives in response to the query, 

11 it can then push commands to a user's agent computer to display graphics that represent its 

12 desired response. For example, in an Intemet application with a user that is browsing via an 

1 3 Intemet browser, the vendor could push HTTP commands for a personalized shop fi'ont for 

1 4 that user based on the results of its personalization query. 

1 5 We can describe a number of variations on this basic concept, that describe different 

16 method to compute the best action to take given a vendor's personalization method and a 

1 7 user's profile information: 
18 

19 -141. E very-time Client-side personalization. In this variation the vendor pushes 

20 a personalization method every time the user initiates a new interaction. The 

21 agent computer executes the personalization query, and makes its response to the 

22 vendor. The vendor can then send personalized content to the user. 

23 442. Periodic Client-side personalization. In this variation the vendor maintains 

24 (either vendor-side or user-side) the data that the last personalization was 

25 performed and pushes a new personalization query to the user periodically, when 

26 it thinks that the user's profile will have changed or its personalization methods 

27 have changed. At all other times, the user maintains as part of its profile the result 

28 of the most recent personalization, to send to the vendor and allow the vendor to 

29 provide personalized service. Alternatively, if the user interacts with the vendor 

30 under the same pseudonym in the fiature then the vendor can store the result of 

3 1 personalization for that vendor. 
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1 443. One-time Client-side personalization. In this variation the agent computer 

2 only ever performs a single user-personalization step, which is then maintained by 

3 the user as part of its profile for that vendor and passed in the future to allow 

4 personalization. 

5 It can be computationally complex to compute the result of a personalization query. 



6 For example, profiles about the objects on a vendors web page or in its inventory can be as 

7 large as the object descriptions themselves, and fiall decision tree representations to decide 

8 how to target -a consumer can be very large and complex. In cases where this is a problem, 

9 and it is inefficient or infeasible for the vendor to push a complete decision tree to the user 
1 0 we propose the following solution: 



1 1 4-?4. Iterative Client-side Personalization. In iterative client-side 

1 2 personalization the vendor and the user, via their agent computers, participate in 

13 an iterative distributed protocol to compute a personalization result for a user 

14 based on its profile. A similar method was earlier disclosed in US Patent 

1 5 #5753938 The idea is to structure the decision tree, and for example pass initially 

16 the first few levels to the agent. The agent computes the result of those levels, 

1 7 responds to the vendor, and the vendor passes the next few levels that are relevant 

1 8 to the result received. In this way, only the parts of the decision tree which are 

1 9 actually used to compute the result of a personalization query are exchanged with 

20 the consumer's agent computer. 
21 

22 Specifically for collaborative filtering applications, a simple technique can be used 

23 to reduce the amount of information that must be provided to a user to compute the result of 

24 a personalization query. In collaborative filtering a vendor's decision about which objects 

25 are appropriate to show to a user is made on the basis of a similarity comparison between 

26 the user's profile and the profile of other users for which the vendor has information about 

27 how they responded to certain objects. The straightforward method is to pass the profiles for 

28 an entire user population to the agent's client machine. This is undesirable when there are 

29 many users in the population. 

30 A better solution is to pass only cluster centers to the client, where the cluster centers 

3 1 are chosen to allow collaborative filtering to a sufficient degree of accuracy. For example, 
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1 we illustrate below an efficient method for collaborative filtering at the client, and our 

2 proposed efficient implementation. This is illustrated in Figure 20. 

3 

4 The idea is to select a subset of users that represent the entire space quite well, which 

5 the vendor has collected by performing data mining queries on the central SDI data 

6 warehouse, and then submit just those data points to the client, hi the Figure we plot the 

7 complete set of user profiles in profile space, with each user profile associated with 

8 information about how to target a product or service to a user with that profile. A typical 

9 method to perform collaborative filtering with data of this kind is to find profiles in the 

1 0 neighborhood of a new data point, illustrated with * in the above diagram, and then base the 

1 1 decision on what was successful or unsuccessfiil for those users. Clustering replaces a set of 

12 similar users with one "cluster point" that represents what information a typical user in that 

13 region should be shown. This can be computed using standard cluster analysis techniques. 

14 The reduced space of data points, shown on the right, is sent to the client, and the client 

15 performs collaborative filtering over the cluster points to computer an approximate solution 

16 to the Ml personalization query. Completing the example, the agent computer can 

1 7 determine which "aggregate user" its profile is closest to, for example Mary or Yu-wen, and 

1 8 send this to the vendor. 

19 Notice that the vendor does not even have to provide the "y- values", or the 

20 personalization methods which are associated with each user profile, it is sufficient for the 

21 agent to compute the closest cluster center and pass that information back to the vendor. 

22 This is useftil to vendors because the information is not usefiil to anyone but themselves, 

23 because no-one else can interpret what it means to be like aggregate "Mary". 

24 An alternative is to provide generic information to the client each time, and allow the 

25 client to display appropriate information automatically, without requesting information from 

26 the vendor. This removes the final handshake between client and vendor, and might be 

27 important if the user does not wish the vendor to receive any information about the result of 

28 personalization, not even how it decides to use the data provided by the vendor. The vendor 

29 only gets information in the case of a purchase. 

30 A simple extension, permitted with the architecture as described, because the agent 

3 1 computer implements the central SDI data warehouse query-execution and pricing modules 
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1 but with only profile information about the single user, is to allow the user to demand 

2 payment in return for allowing the vendor to make a personalized sales pitch. 

3 13.3.1.1 ^Implementation Techniques 

4 The implementation of our system for privacy-protected personalization requires the 

5 following functionality: 

6 (1) A vendor must be able to push generic information to a user's client machine 

7 (2) A vendor must be able to push methods to a user's client machine that allow that 

8 client to process the generic information locally, using a user's profile information 

9 as an input into a decision theoretic rule (that can be rule-based, collaborative 

1 0 filtering based, etc.) 

11 (3) A client machine must be able to process the generic information locally, together 

12 with a user's profile, and decide what information to display to the user. 
13 

14 A reasonable implementation of safe personalization within the system of Secure 

15 Data Interchange can leverage current World Wide Web standardization efforts that are 

16 based around the Extensible Meta Language (XML) [B97; CKR 97; KR97a; KR97b], and 

17 promoted by the World Wide Web consortium [W3C-XMLabc]. XML allows data to be 

18 structured and accompanied with a Data Description File that defines the semantics of the 

1 9 data, making it suitable for client-side processing by the receiving agent computer. The 

20 method to process the information can be for example implemented with the Java 

21 programming language, which will execute on a variety of different platforms via a Java 

22 Virtual machine. A vendor can send formatted data via XML and a Java program to target 

23 data to the user based on access to the user's profile information. 

24 It is important that the SDI client-side proxy agent carefiiUy controls the access that 

25 the Java method gets to an agent's profile information, but this can be structured in just the 

26 same way as with query-execution in the central SDI data warehouse. The method must 

27 maintain a separation between profile information and the execution state of the program, 

28 and check thaX all data access commands are consistent with a user's price rules (and data 

29 access rules). 
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1 Furthermore, it is important that the SDI client-side proxy agent executes the 

2 vendor's personalization query does not communicate profile information to other agents, 

3 and methods can be used to control the access of the query to communication ports, memory 

4 and disk space. 

5 Clearly, standardization of user's profile information is necessary, so that all vendors 

6 can write methods that can access a user's profile. One solution that would support 

7 implementations fi:'om multiple providers of profiling fianctionality (i.e. would not require 

8 clients running standard SDI-profiling software) would be to provider "XML-data 

9 wrappers", that convert non-standard formats into a standard XML data format, that is used 

10 by all personalization methods. One language for representing user profiles has been 

1 1 proposed by the W3C consortium, known as PIDL (personalization definition language) 

12 [W3C-PIDL]. 

13 13.3.2 ^Real-Time Targeted Advertising 

14 A useful application of SDI allows vendors to provide targeted advertisements to 

1 5 users based on their browsing behavior and other profile information, but without actually 

16 receiving explicit information about a user's profile. We propose an advertising-server, 

17 which controls the network of adverts on behalf of vendors and users. A user's client 

18 machine can receive a choice of adverts whenever it hits a web site in the iamworthit 

19 advertising network, with local evaluation based on the local profile information at a client 

20 to decide on an appropriate advert to display. 

2 1 The system is designed to support dynamic personalized advertising, with vendor- 

22 side competition for the right to present an advert to a buyer, and buyer side criteria for 

23 accepting or refiising an advert. A technical solution is presented to allow vendors to select 

24 an appropriate bidding-policy, to maximize revenue from advertising. We use client-side 

25 profiling and advertising selection to support targeted advertising with absolute guarantees 

26 on the privacy of a buyer. The ad-server sends a selection of adverts to a user, and the user's 

27 client chooses to display the most appropriate advert. 

28 With a limited capacity to display an advert to a user, it is necessary to control the 

29 adverts that vendors display. We propose an auction-based system to compute prices 

30 dynamically though competition between vendors. The auction is a second-price sealed-bid 
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1 auction that encourages advertisers to bid truthfully without "gaming" the outcome of the 

2 auction. The advertising auction is implemented on a user's client machine. 

3 In overview, the following steps are performed to support targeted advertising to 

4 users: 

5 1 . Buyer hits the web page of a vendor with an iamworthit advertising link. 

6 2. Vendor pushes content to the buyer (possibly personalized). 

7 3. Vendor contacts iamworthit ad server, requests an advert and pushes any profile 

8 information about the user. 

9 4. The advertising server represents a number of companies that wish to advertise 

1 0 with appropriate users, and determines a short list of adverts to offer to the user's 

1 1 client based on profile information. 

12 5. The user's client receives the choice of adverts and accepts an advert based on the 

1 3 values of bids and the likely suitability of an advert to a user. 

14 6. The client requests the advert from the ad server, and then displays the ad. 

1 5 Payment is collected for viewing the advert, and finally the user's response to the 

1 6 advert can_-be stored in the central SDI database for future tuning of advertising policies. 

17 _Figure 21 illustrates the system. The novelty provided by the system of SDI is that: 

1 8 (a) advertisers can decide when to place adverts and how much to bid based on historical 

19 information stored in the central SDI data warehouse; (b) the final advert is selected 

20 dynamically at the client with local profile information stored about a user. The stored 

21 profile information about users stored within Secure Data Interchange allows vendors and 

22 client-side SDI proxies to estimate the probability that a user will respond to an 

23 advertisement, given its profile and records about how other users with similar profiles have 

24 previously responded. 

25 Vendors, represented within the advertising-network server have access to some 

26 information about a user, and can compute an expected value of placing an advert, based on 

27 the final purchases made by other users that were shown adverts. Meanwhile, client-side 

28 machines have a more complete picture of a user's profile, and can compute the expected 

29 value of viewing an advert based on the advert and the price offered by vendors. In general, 

30 as the acceptability of an advert increases vendors will wish to bid more, and users will 
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1 accept the advert for less money. Competition between vendors drives the bid price up, and 

2 allows users to receive the value of information about their profile to advertisers. 

3 13.3.2.1 ^Example: Technique to compute the expected value of an advert, 

4 A collaborative filtering system can be used to predict the probability that a user 

5 with profile x will respond to an advert. The computation is based on historical information 

6 in the central SDI data warehouse- for similar users to the advert, and also on the basis of 

7 historical information for similar users to similar advertisements if there is little information 

8 available about the actual advertisement. Information can be provided to advertisers 

9 anonymously in performing queries, and also randomized if necessary. 

10 The basic technique is to select a set of users that have been shown the advert, or a 

1 1 similar advert, and are close in profile attributes to the current buyer. Call this the "relevant 

12 set". Given this, the probability Hit(x, Ad) that a user with profile x will hit an advert with 

13 profile Ad- can be computed as the ratio Hit(x) = Num_Hit / Num, where Num_IHit is the 

14 number of users in the "relevant set" that responded to the advert, and Num is the total 

1 5 number of users in the relevant set. 

1 6 Although subject to a certain level of necessary uncertainty, because buyer behavior 

17 cannot be predicted perfectly, ultimately it is usefiil to predict with as high an accuracy as 

1 8 possible whether a buyer will respond. Given a probability Hit(x, Ad) that an individual 

19 buyer will respond to an advert, a vendor can define a bidding policy. The policy maps 

20 Hit(x, Ad) to a value to bid for the right to target a buyer. 

21 Assume in this section that the profiling system places buyers into one of several 

22 "classes" of buyers, CI to Cn, given an advert with profile Ad, where each class has an 

23 associated hit rate, i.e. x e CI Hit(x, Ad) = Hit(Cl, Ad). Furthermore, assume that the 

24 system also predicts the average amount spent by a user that hits on the advert, or the 

25 average value to the vendor fi-om a hit, this can again depend on the class of buyer, and can 

26 be determined within a profiling system based on historical information about this advert, or 

27 about similar adverts. Let Rev(Cl, Ad) denote the value to a vendor with advert Ad of 

28 getting a hit with a buyer in class CI . Now, the vendor can determine its expected value for 

29 placing an advert to a user in each class, for example using the computation Val(Cl, Ad) = 

30 Hit(Cl,Ad) * Rev(Cl,Ad). 
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1 The system of vendor-side advert competition works as follows. Once a user hits a 

2 web page with an iamworthit-targeted advert, a choice of adverts are pushed to the user's 

3 client from the ad server. Each advert is represented as a three-tuple: 

4 ( link to location of advert, bidding function Bid(hit, rev) , profiling function 

5 Prof[le(x, Ad), value function Rev(x, Ad) ) 
6 

7 The profiling function Hit(x) = ProfQe(x, Ad) is used to place a buyer into the 

8 appropriate class of buyers, and compute the hit probability for a buyer, Hit(x) = Hit(x, Ad) 

9 = Hit(C, Ad), where x is the profile for the buyer, C is the class that the buyer's profile 

1 0 places it within, and Hit(C, Ad) is the probability that a buyer in the class will respond to 

11 the advert. A possible implementation of the profiling function is to encode it using 

12 prototypical cluster centers for a buyer in each of the set of buyer class types, and then 

1 3 assign the buyer with profile x to the cluster that is closest (in some well-defined metric) to 

14 the cluster type. The metric does not need to be linear in each of the dimensions of a user 

15 profile, and in particular would be expected to be place more weight on terms that are 

1 6 important to the hit rate in a particular class of buyers. 

1 7 As described, this method has the following useful characteristics: 

1 8 a) the hit probability for a buyer is computed at the client machine, using the profile 

19 that is stored at the client for the buyer. The client machine does not need to 

20 release the user's profile, and the user's privacy is assured. 

21 b) The information necessary to compute the hit probability can be encoded in space 

22 linear in the number of clusters, which is much more efficient that passing 

23 information about every relevant user profile to the client machine. 
24 

25 Without computational/communication restrictions one might pass historical 

26 information in the form of (Profile, Hit/Miss) pairs for users that have been shown the 

27 advert, or shown a similar advert. A nearest-neighbor algorithm could then be used to find 

28 the relevant set of profiles for a new profile x and compute the expected -hit-rate from the 

29 ratio of users with similar profiles that historically hit/missed the advert. 



Page 354 of 381 



SUBSTrTUTE SPECIFICATION 



1 The cluster centers approximate this solution, representing the average hit-rate of 

2 "close" profiles so that the client machine can simply locate the closest cluster center and 

3 use that as a proxy for the probability that its user will hit the advert. 

4 A similar technique can be used to compute the expected revenue from a buyer with 

5 profile X that hits an advert. In fact, this information can be computed using the same 

6 method, simply by associating an expected revenue with each cluster center. 

7 13.3.2.2 _Client-side Advertising Reverse Auction 

8 The client implements an auction for the right to show an advert to a user. The 

9 auction is a Vickrey auction between all the adverts that are passed by the ad server to the 

10 client. The Vickrey auction (Vickrey, 1961) is a second-price sealed-bid auction. Given 

1 1 bids bl, b2, . . . , bn the auction sells the right to show an advert to a buyer to the vendor that 

1 2 bids the highest value for the value of the second-highest bid. The Vickrey auction is useful 

13 because it is truth-revealing. The optimal strategy of each vendor is to bid its true value for 

14 showing an advert to a user. For example, with a profit-margin of 20%, it is optimal for a 

1 5 vendor to submit bid = 0.2 * hit * rev. If accepted, it will pay at most bid, and it will pay 

16 only enough to shave the bid of its nearest competitor. The auction is sealed, so competitors 



1 7 do not ever see the information in failed bids. Cryptographic techniques can also be applied 

1 8 to ensure that the bids are not inflated by the auctioneer. 

19 A user can also define an acceptance function in the auction, which represents her 

20 reservation -price to view a particular advert. Assume that the reservation price depends on 

2 1 the hit rate hit of the advert, and represent the price as Accept(hit). 



22 The client-side advert auction runs as follows: 

23 1. For every advert Ad, Compute the hit rate of advert Ad, given the profiling 

24 fiinction Profile(x, Ad) and the buyer's profile x, and the expected revenue fi-om 

25 showing the advert to the user, rev. 

26 2. For every advert Ad, with hit rate hit = Hit(x, Ad), compute the acceptance level 

27 accept = Accept(Hit) for the buyer and the bid for the vendor with the advert, bid 

28 = Bid(hit, rev). If accept > bid then reject the bid for advert. If no adverts 

29 remain, jump to step 7 (in this case no advert is shown to the user). 



Page 355 of 381 



SUBSTITUTE SPECIFICATION 



1 3. Given the bids that are not rejected by the client, sort them in order of increasing 

2 value, and insert a "buy" bid from the buyer equal to the value of its acceptance 

3 level for the advert with the bid of highest value. 

4 4. Accept the advert with the greatest bid, and charge the vendor the price of the 

5 second-highest bid. 

6 5. Fetch the graphics and URL for the advert, and display the advert to the user. 

7 6. The client monitors the actions of the buyer, and records (to be later transmitted to 

8 the iamworthit server) whether the buyer responds to the advert. 
9 

10 The buy bid in Step 3 will be less than the bid for that advert, because the advert 

1 1 was not rejected in step 2. However, this buy bid might be greater than the value of the 

12 second-highest bid for an advert, and is required to make sure that the price paid by the 

1 3 vendor that wins the auction is greater than the buyer's acceptance level. We make sure that 

14 the user cannot cheat by bidding just below the highest bid received by requiring that the 

1 5 user states his/her reservation value before the value of bids are revealed. 

1 6 A more general system for dynamic customized advertising might allow a vendor to 

1 7 specify a bid for each type of buyer, and also a maximum budget, so that the vendor that 

1 8 places adverts can maintain control over its spending. 

1 9 We might also allow users to specify in their advert acceptance policy how many 

20 adverts they are prepared to receive a day, so that they are not inundated with too many 

2 1 adverts, even if they receive financial compensation. 

22 13.3.2.3 ^Numerical Example 

23 The advert auction message from the ad server arrives with a choice of three adverts, 

24 Adl, Ad2, and Ad3. Each advert is associated with a profiling function, a bidding function, 

25 and a value function. The client machine computes the hit rate for each advert, based on the 

26 profiUng functions and its local profile for the buyer. Suppose hitl = 30%, hit2 =^ 5% and 

27 hit3 = 15%. The client machine also computes the expected revenue if the buyer hits an 

28 advert, revl = $2, rev2 ^ $8, rev3 = $3. The hit rate and revenue are used to compute bids 

29 for each advert, using the bidding function. Suppose that the bids are bidl ~ $0.50, bid2 = 

30 $0.70 and bid3 = $0.40. 
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1 Now, the client also computes the acceptance level for each advert, based on the hit 

2 rates predicted within the iamworthit system. Suppose accept] ^ $0.30, accept2 ^ $1.00 

3 and accept3 = $0.30. The bid for advert 2 is rejected because it is below the accept value. 

4 The bids for adverts 1 and 3 are accepted. Now, the auction is constructed with bids bidl 

5 and bid3, and accept 1 because that is the accept- value for the bid with the highest value that 

6 is not rejected. The auction takes the bids (0.50, 0.40, 0.30), and sells the right to advertise to 

7 the user to vendor 1 for $0.40 (the value of the bid from vendor 3). 

8 Finally, the client fetches the graphics and URL link information for the advert from 

9 vendor 1 , and transfers payment from the vendor to the user for the right to show the advert. 

10 13, 3.2.4 _Tuning an Advertising Strategy 

1 1 Although the optimal strategy for a bidding agent in a single Vickrey auction is to 

12 reveal its true value for the right to show an advert to the user, the vendors are bidding over 

1 3 a number of different auctions, and might have a limited advertising budget. 

1 4 Selecting appropriate users. 

15 One good approach is to start with a reasonable policy and then adjust it 

16 dynamically, based on feedback received from adverts using techniques from reinforcement 

17 teaming (see [RN 97] for an introduction). Offline simulation with methods such as Monte 

1 8 Carlo simulations can provide good initial policies, based on information about a simulated 

19 population of users, which could be provided anonymously by the system of Secure Data 

20 Interchange. Users can be provided with incentives to reveal information anonymously 

2 1 about their acceptance functions, to allow this type of offline modeling. 

22 A vendor can tune an advertising policy with a random sample of users, simulating 

23 the auction that runs on a user's client machine. Metrics such as the average number of 

24 times that an advert is shown to a user of each type, and the average amount that the vendor 

25 pays to show the advert provide information to allow optimization. For example, the 

26 analysis might show that although a particular class of buyers are most likely to hit an 

27 advert, there is also a lot of competition to show adverts to buyers in that class, and the 

28 average cost to show an advert is high. In this case a vendor can conclude that it is more 

29 cost-effective to- advertise to buyers in cheaper but less relevant classes. The analysis can 

30 also be used to check that the average buyer is not setting an acceptance level higher than 
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1 the vendor's bid, which again would indicate that the policy should target a different set of 

2 buyers. 

3 Selecting appropriate adverts. 

4 The system that we have described can be extended to allow a vendor to select an 

5 advert to display to a user based on the type of profile of a user. For example, a vendor can 

6 pay for the right to be one of N vendors that compete in an auction for the right to advertise 

7 to users that hit the web page of a particular vendor. We can allow a vendor to not only tune 

8 its bid to the profile of a particular user that hits a web page, so that only users with a good 

9 fit with the service offered receive the web page, but we can also allow a vendor to tune the 

1 0 advert that it shows to a user. 

1 1 We allow a vendor to submit a number of different adverts and bid functions via the 

12 advertising network server. The client-side auction can be expanded to allow multiple bids 

1 3 fi"om each vendor, where each vendor can submit a number of bids, but only pays the second 

1 4 highest price bid fi*om another vendor. Again, the auction is truth-revealing for a vendor. 

15 13. 3.2.5 Automatic Advert-Replacement Systems 

16 Although there are potential copyright violations in any system which alters the 

1 7 content of information published by a vendor before displaying that information to a user, 

1 8 we comment that the above described system can be applied even with vendors web pages 

19 that do not subscribe to the advertising network in SDI. Adverts can either be replaced, or 

20 added in separate windows. This enables any user that subscribes to SDI to receive 

21 personalized adverts and revenue from advertisers, irrespective of whether or not pages are 

22 within the SDI network. 

23 The key problem in ad replacement is to identify an advertisement within a page, i.e. 

24 information that is not related to the core purpose of the page. At present adverts may take 
2 5 one of two forms : 

26 (a) They can be statically, or dynamically, generated at the web server of the web 

27 page that the user hits, and pushed to the user directly at the same time as the 

28 general content. 

29 (b) They can be pushed to the user in parallel with the other non-advertising data on a 

30 web page, for example with a link to an advertising network. 
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1 

2 The adverts in (b) can be identified by tracking ad server URLs that are embedded in 

3 the source code of web pages. Case (a) is more difficult because there is no identifying URL 

4 to indicate the content of the section of a web page. However, there are solutions to advert 

5 identification in these cases, for example via regular expression identification and the 



6 location of ad banners, as described in www.iunkbusters.com and the "block files" that 

7 allow a proxy server at junk busters to strip adverts fi-om pages. Another technique is to 

8 identity URL's that allow a user to click to another domain fi^om within the current page. 

9 These might likely be adverts, consider for example, a link to www.buyanewcar.com on the 
1 0 New York Times web page. 



1 1 Another variation applies to television commercials and other broadcast medium, 

12 especially as the data storage capacity of local set top boxes increases. For example, a code 

13 is transmitted by national networks to cue local adverts fi-om local network stations, 

1 4 allowing the replacement by personalized adverts from advertisers in the SDI ad network, hi 

1 5 the fiiture it is also likely that we will use digital storage devices to receive entertainment 

16 and television programs that are broadcast, storing the information for future viewing, or 

1 7 even slightiy delayed "on demand" viewing. With digital media and storage, it is possible to 

1 8 replace adverts inserted into programs by the producers with SDI targeted adverts, either 

1 9 with or without the cooperation of the source of the information. 



20 S7 I3.3 Additional Applications 

21 1 . Use of Real Time and Anticipated Vehicle Location Data to Provide Real Time 

22 Traffic Reporting and Predicted Traffic/Congestion Modeling 



23 

24 a. Real Time Traffic Reporting 
25 

26 A simple but usefiil application of LEIA involves on an opt-in basis real time 

27 transmission of a sample of driver's location information to a regional traffic- 

28 reporting bureau. Though existing prior art approaches are reasonably efficient, 

29 there are common circumstances in which congestion may have just occurred 

30 (e.g., following an accident) or wherein congestion has recently cleared up and 
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1 such up to the minute information is not available to the traffic bureau. Moreover, 

2 this approach could be extremely advantageous in providing optimal navigational 

3 assistance for drivers wishing to optimally reduce driving time to a particular 

4 destination, which she/he submits to the system. The present system would 

5 consider the comparative length of different routes from the user's present 

6 location to the destination in combination with the anticipated average speed 

7 based on that of other vehicles traveling those particular routes. This enables real 

8 time recommendations to be presented to the user, based on this real time data. 
9 

10 b. Predictive Modeling of Traffic Patterns Based upon Real Time Location Data 

1 1 from Vehicles 
12 

13 It is possible to apply certain statistical techniques in order to predictively 

1 4 anticipate traffic patterns for some marginal period of time into the future based 

15 upon real time location data regarding the present case sample of vehicles. One 

16 may consider recent past traffic patterns compared to present traffic patterns (i.e., 

17 change in speed as a function of fime by segment of highway as well as absolute 

1 8 and rate of change in traffic volume). There are pre-existing models which are 

19 able to anticipate the corresponding effects of congestion at the moment in which 

20 it begins to occur which utilize these variables. This model must also consider the 

21 rate of change in average speed over each segment as well as the predicted impact 

22 of changes in traffic volume from feeder highways based upon changes in volume 

23 occurring dynamically thereupon. It is a key objective of the navigational 

24 assistance feature to utilize future predictive traffic models, in order to optimize 

25 the reducfion in transit time for the most number of users possible, —i.e., 

26 considering the volume of traffic which is predicted on a segment by segment 

27 basis in combination with the traffic models for the impact of these volumes upon 

28 transit time (including the rate of increase thereof). With this data, the system can 

29 determine, in advance, on an individual driver basis, which route for a given 

30 requested destination, will provide the shortest drive time for the user, while 

3 1 insuring that a near optimal transit time is achieved, across all segments of the 
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1 highway system, as a result of each individual system recommendation to each 

2 driver. For example, an anticipated compounding congestion problem would 

3 warrant the vast majority of vehicles to take alternate routes until the congestion 

4 or predicted congestion is alleviated in that segment. 
5 

6 2. Use of LEI A for Creating Traffic Models for Purposes of Mapping Commercial 

7 Industrial and Residential Real Estate Market Opportunities - 
8 

9 A very useful application of LEIA involves the collection of traffic pattern data 

10 on a time-specific basis (the day of the week and time of day) for the traffic, as it passes 

1 1 each piece of real estate. An electronic map which is ideally Web based (potentially 

12 nationwide is generated and constantly updated based upon this data. Additional 

1 3 information may be provided which may include (but is not limited to): 
14 

15 a. Origin and destination information of the vehicular traffic (as captured by 

16 LEIA) which may, especially if correlated with time, suggest the nature and 

17 context of the driver's activities, e.g., rush hour traffic, errand traffic, etc. It may 

18 be useful to factor in the type of neighborhood the vehicle returns to every night, 

1 9 the type of commercial or business entity she/he drives to work to each day, etc. 
20 

21 b. Other activity-related clues which the user is willing to release, e.g., devices 

22 interacted with, content interacted with or transmitted information, etc., which 

23 may provide insights into the mind-set of which users tend to experience when in 

24 the vicinity of the real estate property. 
25 

26 c. User Profile Data - Aggregate purchase and content affinities as well as price 

27 elasticity data (gleaned from purchase statistics) could be very usefiil information 

28 to commercial real estate developers and purveyors. Users with. the right profile 

29 and a receptive mindset are of particular interest. 
30 
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1 It should be noted that the present system may be extended to residential real 

2 estate. E.g., what types of jobs (such as quality of jobs) do local commuters have? What 

3 are their numbers? How far do they commute (particularly if they tend to commute 

4 further than the present real estate site)? Do their commuting routes tend to pass the 

5 current potential real estate site? The last three questions would also be particularly 

6 relevant as well for a prospective industrial real estate development opportunity. 
7 

8 Industrial real estate developers also may be interested in mapped models of real estate 

9 depicting the professional and known likely educational characteristics of the associated 

10 local residents in that region? What are the other businesses at which they work? (If 

1 1 available) what are their particular positions/responsibilities? 
12 

13 3. Use of LEIA for Creating Traffic and User Profile Models of Traffic Passing 

14 Billboard Sites and Providing a Map of Such Information on an Available Billboard Site 

15 Basis - 
16 

17 The presently described techniques for providing dynamically updated 

1 8 informational maps containing detailed statistical data regarding vehicular traffic passing 

19 real estate sites can be fiarther extended to similar maps of interest to advertisers which 

20 contain locations for available highway billboards. The present system further provides 

21 Web-based access, which enables advertisers to make reservations and purchases of such 

22 billboards. In one preferred variation, an economic model is deployed to optimally price 

23 the billboards. I.e., a varied representative sample of each type of billboard sharing 

24 similar traffic/user profile features with others is auctioned for this purpose. In another 

25 variation this on-line auction model is deployed for all billboards available by the system 

26 in order to provide a novel service to advertisers which is a "billboard auction" site. 
27 

28 4. Use of LEIA for Enabling Drivers to Identify and View Sales Opportunities and 

29 Offers Associated with Physical Objects in the Surrounding Environment Utilizing 

30 Heads-Up Display Technology 
31 
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1 The present system is an extension of the virtual tag methodology in which 

2 physical objects contain meta-data and in which the location of such objects with respect 

3 to the user is determinable either by transmission of a signal, which contains the exact 

4 physical coordinates of the object or a scheme by which this information may be pre- 

5 loaded, which is typically from a server, which contains such information (thus "non- 

6 wired" objects may be identified accordingly) to the user's device, e.g., as she/he 

7 physically travels in the vicinity of such items. In either case, the present physical 

8 location of the object must be known in addition to that of the user (in the case of fixed 

9 objects, of course, the dynamic location tracking techniques are unnecessary). A primary 

10 commercial application of the present scheme applies to purchasable items. The user 

1 1 may submit his/her interest profile to SDI for purposes of being dynamically notified and 

12 disclosed of purchasables which match his/her user profile or specifically requested 

1 3 search criteria. The metadata may include a brief description and any additional level of 

14 information which the seller may be willing to disclose to that particular user. The seller 

15 may possibly request details regarding price elasticity of the buyer (purchase appetite) 

16 before quitting any discounts to the existing price. Prime example applications of the 

1 7 present scheme may include: 
18 

19 1... Revealing used car sales opportunities to drivers (by actually flagging relevant 

20 vehicles which the driver passes (or which pass the driver); 
21 

22 2. Real estate and home sales opportunities (as well as apartment and commercial real 

23 estate rental/leasing opportunities; 
24 

25 3. User-user introductions in which one or both users may be extremely interested in the 

26 other based upon matching criteria within their associated social, information and/or 

27 professional desires and assets. 
28 

29 The preferred underlying technology for the present heads-up display system involves a 

30 technique for tracking the orientation of the user's head as well as the direction of his/her 

31 pupils (it may be possible, however, to implement the system by detecting pupillary 
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1 direction based solely upon the position of the pupils relative to one another, using a 3-D 

2 optical tracking device. The iris of the user may also be utilized as a bio-metric identity 

3 of the particular user (see issued patents assigned to IrisScan Corp.) In the preferred 

4 implementation, the head-up projection device projects the virtual flagger upon the 

5 portion of the windshield or window(s) which is in direct line of site between the user's 

6 pupils and the physical object of interest. The technique may utilize heads-up windshield 

7 display technology and/or remote projection (e.g., for projection upon the side windows). 
8 

9 In another more advanced version of the system, the holographic projection system using 

10 micro-mechanical techniques may project the information directly upon the user's retina. 

11 This technique is detailed in co-pending patent applicfation entitled "Remote Retinal 

12 Imaging Projection System" The variety of other potential applications of the present 

1 3 technologies are also conceivable which include: 
14 

15 SYSTEM FOR PROVIDING REMOTE ACCESS AND MODIFICATION 

16 CAPABILITY OF DOCUMENTS AND E-MAIL BY A SENDER 
17 

18 The present system involves the use of a technique which enables the sender of a 

19 document, upon permission of the recipient, to provide subsequent updates and revisions 

20 to that document remotely and automatically in the absence of the recipient. Utilizing the 

21 computer's modem and e-mail delivery system, these updates could be provided remotely 

22 by the original sender (who alone can gain appropriate access privileges through a unique 

23 access code or authentication). The sender may also be able to identify whether or not 

24 the old version had been accessed by the recipient and possibly even at the level of the 

25 particular segment, or segments in which the specific changes had been made. (This 

26 capability could also be two way in which certification of not only receipt, but also access 

27 particular portions of the information by the intended recipient could be positively 

28 confirmed by the sender however, subject to approval by the recipient). If the recipient is 

29 amenable, such receipt confirmation could also be automatically time stamped by a 

30 secure trusted agent on the recipient's machine. The system could also perform the 

31 appropriate modifications in different drives on which the document is stored. If the 
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1 appropriate modification was performed on the hard drive, but not a copy on the 

2 floppy(s), the recipient could be notified and prompted to insert the floppy(s) for 

3 appropriate updating until all versions of the original document are updated. It should be 

4 noted that such latter functionality would even be of independent utility to standard 

5 modifications as performed with word processing systems. The above same features 

6 could also be provided for e-mail as well_(in a variation, time stamped receipt could also 

7 be applied to voice mail as well). The recipient if he/she had not approved the remote 

8 modification in advance, the sender could request the access/modification privilege of the 

9 recipient via e-mail or instant messaging service for example. The recipient may also be 

10 able to identify a digital time stamp for the relevant portion(s) of the document (or e- 

11 mail) as modified/updated by the sender. In a variation, XML metadata containing 

12 digital time stamps could also be utilized for the standard modifications, which occur 

13 throughout the document, i.e., the nature of the modification, i.e., the addition, change or 

14 deletion, the time it was performed, on which machine, under which password and if 

1 5 relevant by which remote user. Outside of the context of the present remote modification 

16 system this fiinction could be integrated into a standard word processing system with 

17 standard comparison check fiinction. Such digital time stamps would help in proving 

1 8 identity and date of authorship at a detailed level. 
19 

20 In a variation of the present system, a user could also receive automatic notification 

21 iC'when a recipient has accessed (or provided an associated modification to) a document, 

22 portion thereof, e-mail or voice mail. This would require the recipient to provide 

23 approval of the above privileges for the sender in response to a request prompt. In 

24 another variation of the present system, the provider of a URL may receive time-stamped 

25 verification of a user having accessed a URL (which may request a uniquely identifying 

26 access code or other authentication or the Web page may be accessed by that user who is 

27 provided with a completely unique URL, thus verifying access by that user for remote 

28 access, modification and associated time stamping. If the URL is not under control of the 

29 requestor of the verification the accessor' s client or Web-centric script (associated with 

30 his/her access account) could notify him accordingly with similar time-stamped 

31 verification of access. In another related application of the present capability, the 
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1 accessor' s script could carry-out certified verification of more diverse or complex actions 

2 by a desired accessor, for example: 
3 

4 1 . Verify (and if desired notify) the requester of the accessor having sent or received and 

5 read document (or e-mail) with content X to or fi*om recipient or sender Y. For 

6 example, knowing that recipient had read a message or document sent by the sender 

7 (or another sender) or otherwise accessed may prompt requestor to take the next 

8 action or communicate with recipient. 
9 

1 0 Or verify (and if desired notify) the requestor (e.g., an employer) of the accessor (e.g., 

11 an employee) having made telephone contact with X individual(s) or phone 

12 number(s) at a certain time(s) (or within a certain time frame and/or containing 

13 certain message-type or content). Or the content (contextual profile) of the 

14 conversation(s) may be revealed or confirmed as being within a target contextual 

15 domain(s). 

16 2. Verify (and if desired, notify) the requestor (e.g., an employer) of the accessor (e.g., 

17 an employee) having performed certain definable and/or desirable volume of on-line 

18 tasks, e.g., typed certain type(s) of content, performed certain accounting, billing 

19 (telephone handling courteous) prompt or other administrative functions. Knowledge 

20 by requestor (e.g., via notification) may then prompt requestor to take a subsequent 

2 1 action (or e.g., communicate again with accessor). 
22 

23 3. For any of the above notify requestor (e.g., employer) of the failure of the accessor to 

24 perform certain desired (and/or volume) of tasks with pre-defined threshold 

25 parameters. 
26 

27 4. Verify and, if desired, notify requestor (e.g., teacher or parent) of accessor (e.g., 

28 student or child respectively) of certain on-line content consumed, e.g., Web pages, 

29 paragraph by paragraph content (including wireless e-books) or on-line homework, 

30 such as quizzes, essays, reports, in conjunction with or independent from such on-line 

3 1 content. 
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1 

2 5. Verify and, if desired, notify requestor (e.g., employer or teacher/parent) of accessor 

3 (employee or student/child respectively) of accessing, generating or conversing 

4 (acoustically/telephonically or textually) certain content which falls outside of a 

5 certain defined set of content clusters which are deemed "appropriate" within certain 

6 time periods (e.g., work-time such as when the user is "clocked-in", homework time, 

7 etc.) or in general. And/or verify or notify accessor of certain clusters, which are 

8 accessed or generated within certain content clusters. The above cluster based 

9 identification rules may also be definable by not only time of day or day of week, but 

10 domain, e.g., e-mails and phone conversations of a "social" context or style are 

1 1 inappropriate while pornography is inappropriate during work time for employees or 

12 anytime for students or children. The present "conversation" based variation, may 

1 3 even be implemented in conjunction with a passively collected acoustic monitoring 

14 via the client's microphone of an employee's, student's or child's spoken 

1 5 conversations in/around his/her (or a) client machine. Identity may be determined in 

16 conjunction with associated voice print information and bias results to documents, 

17 which match that style in accordance with the appropriate weighting criterion 

1 8 matching the user profile. 
19 

20 b76. Give the user a set of selection criteria to bias the search (or recommended 

21 navigational links) by those styles, which s/he desires presently. 
22 

23 In addition, the present system could fixrther actually use style as an additional means for 

24 identifying documents, which may be relevant to a search, e.g., determine what style(s) a 

25 preponderance of document in the present search tend to possess, then add this criteria as 

26 an additional weighting criteria to determining document relevance (or finding new 

27 potentially relevant documents). I.e., as part of the information retrieval (attribute 

28 cluster) model, use "style" as an additional attribute for and similarity to other documents 

29 and queries. 
30 
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1 System for Mining User Reactions and Responses to On-line Media by User Profile 

2 Characteristics: 
3 

4 As described, are some primary examples of how the present technique can usefiilly 

5 be deployed. User profiling may also be usefiilly applied for purposes of collecting feedback 

6 about various types of user reactions and responses to various on-line stimuli (e.g. general 

7 Web and e-commerce sites to various products such as movies, music, interactive content, 

8 advertising news, interactions with other users etc. A somewhat related methodology was 

9 disclosed in the parent patent involving a technique for allowing users to rate vendors 

10 according to a variety of criteria and enabling the vendors (e.g. for marketing purposes) 

1 1 and/or users to observe statistical correlations between the user profile characteristics and 

12 ratings (using data mining techniques), hi a simple example, application of the present 

13 methodology, the users viewing a Web page (containing any of the above suggested 

1 4 informational types) are allowed to provide their personal comments about the page or about 

15 their own experience in viewing the page, hiformational retrieval and statistical NLP 

16 techniques may be used to cluster (using standard clustering techniques) both the comments 

17 (by similarity of their content profiles) as well as the users (by similarity of their user 

18 profiles), hi the first instance, the comment cluster exemplars are extracted, used as the 

1 9 comments which most closely exemplify each of their associated clusters and thus presented 

20 to vendors and/or users. The aggregate (average) of the user profiles associated with that 

21 cluster, the user profile of the user who provided the exemplar comment or the subset of 

22 user profiles which characterize subclusters of the comment clusters (wherein the 

23 subclustering routine is based upon the profiles of users within each comment cluster) are 

24 also presented to the users or associated vendors in conjunction with the exemplary 

25 comment most closely associated with that stereotypical profile of users, hi a variation, 

26 which could be an automatically selected alternative if the exemplar fails to provide a clear 

27 representation of the various comments in the cluster (if fiirther subclustering does not 

28 adequately achieve this objective), it may be possible to "combine" these various comments 

29 which are closest to the clusters' centroid by identifying those portions of the comments 

30 which are similar in meaning and those portions which are different. For similar portions, 

3 1 by preferentially utilizing the counterparts which are closest to the centroid and adding to it 
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1 those portions which are different in piecemeal fashion, the desired objective may be 

2 achieved. 
3 

4 In a variation, the different types of comments may be clustered and accessible to 

5 users via a hierarchical cluster tree used to create a menu of automatically labelled clusters 

6 (see parent patent detailing this general method). Users may access such menus by 

7 combining querying (of user or content attribute with menu navigation). 
8 

9 It is of course reasonable to combine the technique in the parent patent application 

10 for statistically correlating user profile attributes with ratings associated with the users 

1 1 possessing those attributes. 
12 

13 It is also reasonable to apply the present technique to video (or streaming video 

14 content) whereby during the course of viewing the content relevant survey questions are 

1 5 presented to users and if desired, the correlation statistics of the results with the associated 

1 6 user attributes are presented to the content owner and/or (preferably) also future viewers. In 

1 7 a novel and advanced variation, time shifted video technology would enable the ability to 

1 8 capture audio or fiill video/audio versions of the comments of the user. 
19 

20 In a very novel application, it is possible upon permission of the associated users, to 

2 1 automatically construct menu trees (in accordance with the above method as disclosed in the 

22 parent case) of live voice or text chat in real-time dynamic fashion. Spoken conversations 

23 may be automatically profiled using acoustic speech-to-text methods. In accordance with 

24 the methods for automatic construction of virtual communities (in this case for dynamic 

25 chat) as disclosed in the parent case, these conmiunities can be constructed automatically 

26 and on-the-fly based upon similarities of chat content, queries, navigational (content) 

27 selection fi-om automatically constructed menu and/or user profile similarity or attributes of 

28 the profiles of the users which may be selected. Thus, in the former case a user could in the 

29 case of a pull down menu gain access by title of key phrase (which are ideally automatically 

30 and dynamically created and updated in accordance with the content of dynamic spoken or 

3 1 recorded conversation spoken or typed in real time and which may be fiirther dynamically 
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1 categorized and re-categorized within a hierarchical menu structure format. Although, the 

2 present system is implemented specifically for Web sites, a generalized user interface 

3 approach is certainly a very appropriate use of the present methodology. 
4 

5 Thus, in the former case a user could in the case of a pull down menu gain access by 

6 title or key phrase (which are ideally automatically and dynamically created and updated in 

7 accordance with the content of dynamic spoken or recorded conversation spoken or typed in 

8 real time from potentially any other user and which may be further dynamically categorized 

9 and re-categorized within a hierarchical menu structure format. Of course, these other users 

1 0 could, if desired, also specify constraints, e.g., by profile attribute of the user (accessor). If a 

1 1 chat dialog of a particular type of subject is scheduled in advance, the user could also be 

1 2 made aware of such posting if his/her profile so allows. 
13 

14 The user could even select key terms or phrases which are most highly predicted to 

15 be of interest/relevance to the user based upon his/her profile, hi any event, the queries 

16 could also be provided as persistent queries this enabling the user to be notified while on- 

17 line (e.g., while on his/her lap-top, PDA, television, or telephone whenever highly relevant 

18 dialogs appear (or even off-line if designated to be important enough, e.g., via a phone, 

19 pager, in an automobile, etc.). It is presumed that many of the interfaces to these devices 

20 will be speech enabled, thus speech-to-text techniques for purposes of the present 

21 apphcation are likely to become increasingly pervasive. The issued patent, "System for 

22 Customized Electronic Identification of Desirable Objects" further offices a technique 

23 which uses similarity measures for profiling users according to their proficiency knowledge 

24 in various informational domains by analyzing their ability to provide intelligent responses 

25 to questions of almost any sort and informational domain presented to them by other 

26 inquirying users. 
27 

28 Accordingly, it is reasonable to also suggest to users functionality which allows 

29 them to be able to be notified of and/or receive messages, e.g., such as via an instant 

30 messenger service or a voice-enabled version thereof, in which potential recipients are able 

3 1 to select certain types of content as manually entered or selected via the menu tree which 
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1 they would be interested in being made aware of or to be notified if^when individuals 

2 possessing attributes and, which may include proficiency attributes by topic, sub-topic or 

3 key word(s)/phrase(s)(again, so long as the user's profile is within the disclosure policy of 

4 the transmitting user. If a willing recipient so desires for both the chat and instant 

5 messaging variations, s/he may receive a copy of the text or voice transmission or if the user 

6 is not able to access it in realt-time or otherwise. Conversely, the user may as a sender wish 

7 to sent the transmission to 
8 

9 1 . All users who have indicated potential interest in the contents (and/or profile or identity 

1 0 of the sender) or users who match a particular user profile (e.g., interest or proficiency such 

1 1 as which is of measured similarity to the contents of the transmission) and/or 
12 

13 2^. Users who are in the process of engaging in a user-user (or multi-user) dialog, which is 

1 4 of measured similarity to that of the transmission. 
15 

1 6 An example application of the present system includes, for TV viewers, the ability to 

1 7 gain access to different types of feedback fi-om other users who are also presently viewing or 

18 had previously viewed a particular TV program, e. g., a comedy, a news story or political 

19 speech in which the present technique could be used effectively as a filter allowing certain 

20 types of user or user attributes to reach the user and others to be suppressed or squelched. In 

21 the latter example, a user who considers herself to be a female liberal may provide settings 

22 during a campaign speech by a conservative Republican speaking out against abortion to 

23 listen to acoustic/verbal gestures by other liberal females advocating abortion). Audible 

24 comments may be unfiltered and heard by the user, if desired. 
25 

26 If the program is a re-broadcast, more elaborate filtering capabilities are conceivable 

27 involving statistical analysis of the spoken language content (such could be conceivably 

28 performed for real time live information, however, at the expense of a slight delay). As 

29 suggested, it may be also possible to observe textually (e.g., through speech to text 

30 techniques) or hear spoken conversations as they exist between individuals possessing 
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1 desired attributes, containing content characterized by key words or phrases from a menu 

2 selection or provided by/between a desired individual or individuals respectively. 

3 

4 In another application, users viewing video or streaming video content may upon 

5 their permission, agree to disclose their user profiles and be acoustically monitored such that 

6 comments, verbal, verbal/audible gestures and expressions and/or video of Effected thereby 

7 may be of interest to users 
8 

9 In conjunction with an educational program a user may wish to observe comments 

10 by those other individuals who are extremely knowledgeable -in the field (to collect 

11 supplemental information and other feed back about the presently viewed content). 

12 Similarly, in the political speech example the user may desire to hear the gestures and/or 

13 spoken comments, reactions and/or brief dialogues occurring during the course of the 

14 political speech by individuals sharing the same political views as the user and which are 

15 considered to be part of the educated elite. In another variation, individuals who 

16 represent the exemplars of different cluster of users (and/or those which are manually 

1 7 selected as providing interesting and/or entertaining feedback) could be heard by the user 

18 collectively and the reactions expressed as acoustic feedback could be statistically 

19 analyzed in dynamic fashion and presented to the user as a breakdown of the user 

20 attributes which presently characterize the present reaction or response of the virtual 

21 audience. 
22 

23 In a future application, such system could be extended to such things as emersive 

24 virtual reality (stationary or non-stationary) systems and/or video gaining systems in 

25 which the reactions of characters (or even different "personals") to various situations and 

26 events could be developed from data collected from the reactions of actual users 

27 comprising the different user clusters as above suggested. 
28 
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1 Applications to Constructing User Profiles and Matching Users by Similarities in Their 

2 Social and Psychological Profiles and/or Life Circumstances and Experiences 
3 

4 There is an untapped opportunity with potentially considerable and deep 

5 implications which could be used to enable very detailed assessment and associated 

6 profiling of individuals. The parent patent describes a very comprehensive methodology 

7 by which users could potentially be profiled so as to define their preferences across 

8 almost any kind of content or commercial products and services. Surveys used to reveal 

9 psychological traits are also used. In the present extension, we first suggest a primary 

10 system methodology in which extremely detailed information is collected and aggregated 

11 into the user profile particularly pertaining to the user" psychological profile (user 

12 preference/interest information demographics, etc. are also usefiil data in that there are 

13 likely correlations which exist with certain psychological attributes of the user). In the 

14 clinical field of psychoanalysis, much information regarding the psychological and 

15 psycho-pathological characteristics of the user is determined, however in compliance 

16 with the confidentiality requirements of the doctor-patient privilege, most if not all of this 

1 7 information remains isolated and never accessible by a large-scale statistical database for 

18 purposes of cross-correlation of psychological characteristics, phenomena, psycho- 

19 pathology (as well as other clinical pathology), as well as behavior, interests, preferences 

20 and more specifically identifiable behavior patterns as well as notable life experiences. 

21 Part of the answer to this dilenmia may well lie in the application of secure data 

22 disclosure to SDI, the pseudonym proxy server and (for extra security) randomized 

23 aggregates for purposes of harvesting the statistical value within the data and (if needed), 

24 interacting with the user while maintaining completely secure and private individual user 

25 data. The present system suggests that there may be much greater accuracy which could 

26 be achieved in the profiling of individuals for use in a number of applications such as the 

27 psychological modeling of patients for use in the diagnosis, treatment, prediction 

28 (including predictive treatment) of psycho-pathology, the matching of "similar" patients 

29 together (for group therapy and/or pseudonymous electronic or physical mail 

30 correspondences) for providing support, inter-patient communication, counseling, etc. 

31 (for which present traumatic life experiences, if relevant, may be quite applicable as 



Page 373 of 381 



SUBSTITUTE SPECIFICATION 



1 well).,as well as the extended/improved modeling/prediction of user interests/preferences 

2 enabled by SDL 

3 

4 Another correlated data type could be employee file databases through which 

5 correlations and predictions of employee behavior and performance, recommendation as 

6 to remedies for existing problems and performance enhancing tactics again could be 

7 achieved. Unfortunately not all data is likely to be accessible for all users (e.g., 

8 browsing/transaction histories are likely to be available but often not information 

9 regarding a user's life experiences or psychological history). To fill in this missing data, 

10 rapid profiling techniques could be applied (see parent patent). Key aspects of a user's 

11 psychological profile for example, could be acquired, anything from their personal 

12 experience, beliefs, fantasies, habits, personality traits social behavior, etc., for 

13 preventative life style patterns. In an obvious example application, an individual could 

14 be very accurately profiled, psychologically in order to predictively determine likely 

15 strengths and weaknesses in his/her psychological and psycho-social aspects and thus 

16 determine recommendations for preventative life style patterns (which could be provided 

17 by professionals and/or determined statistically or confirmed/disproven in order to 

1 8 enhance potential strength and avoid or remedy potential or existing weaknesses (in as 

19 much as the pseudonymous statistical database would, of course, also contain the results 

20 of certain lifestyle therapeutic or pharmacological treatment approaches). It is believed 

21 that in the future, genetic sequence data which could be stored in the pseudonymous user 

22 database could also provide valuable clues as to the complete medical, psychological and 

23 psycho-social make-up of individuals. Another potential methodology could be to 

24 present particular emotion-evoking stimuli as a textual, verbal (or most ideally) 

25 multimedia videographic or even emersive virtual reality) presentation, capture details 

26 about the user's emotional response, comments, gestures, e.g., crying, laughing repulsion, 

27 mortification feeding of physical illness, etc., and perhaps even physiological feedback, if 

28 accessible.. With such large quantities of such sensitive data regarding individuals, SDI 

29 offers users a very powerful and compelling solution by which user's SDI agent can for 

30 any given application or circumstance select only those potions of his/her profile which 

31 will ultimately benefit the user. I.e., there are typically for most relevant applications, 
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1 e.g., employee hiring by corporate HR departments, health insurances,„etc., extremely 

2 crude metrics which are used in the determination and/or terms of a prospective contract 

3 between such commercial entities and a user. There is, thus, considerable opportunity for 

4 SDI agents of the user to analyze user profile data in light of pre-determined models of 

5 what features and metrics are most significant in determining selection and/or terms of 

6 service or a professional relationship with that user based on historical data (through 

7 feedback) or publicly available informational models (e. g., as in the highly regulated 

8 health insurance industry). In order to initialize the statistical model for the more 

9 subjective example of employee selection and terms, the present system could , for 

10 example, disclose to the employer "Mr..X has a psychological profile feature which is 

1 1 highly correlated with a high aptitude for the present job which s/he is applying for and 

12 past job experience Y is 50% more likely than the average employee for that position to 

13 lead to a subsequent promotion and several "employee of the month awards" 
14 

1 5 Application to Identifying Similar Individuals Behaving Under Similar Circumstance 
16 

17 The present user profile information could also be extremely relevant for a novel 

1 8 Internet based service by which individuals could pseudonymously release their profiles 

19 and/or define specific situations and/or conditions (which could be actual, hypothetical or 

20 combination thereof) and the system will identify other scenarios (of like pseudonymous 

21 individuals and/or circumstances) to the general scenario and emphasizing and 

22 prioritizing certain particular aspects thereof Examples include identifying individuals 

23 who had previously (or are presently) in the process of making a very similar professional 

24 decision, interpersonal decision (such as regarding a present or a potential spouse). 

25 Ideally, such interpersonal decisions would involve a very similar situation (such as a 

26 decision), a very similar individual in the analogous position of the user (and ideally, if 

27 possible other similar party(s) fulfilling the analogous role(s) as the present situation 

28 which confronts the user. The relative importance (priority) of the degree of similarity of 

29 various analogous roles in an analogous situation is determined in part by the type of 

30 information which the user would like to determine. For example, determining what a 

31 particular individual would do in a similar circumstance may depend upon how 
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1 dependent that user's action .or decision is upon the circumstances and conditions versus 

2 another individual(s) (and which individual(s) and/or the two (or more) individuals 

3 involved to which the context of the situation primarily relates. Of course, the nature of 

4 the action in question may predicate the relative importance of one or more of the above 

5 factors. These determinations are often quite subjective in nature. Requestees may also 

6 (if the choice exists) be situations which are either of a historical nature (i.e., the situation 

7 had occurred in the past) or of a present nature. In some cases in the latter case, is 

8 preferable as the user may actively request, e.g., the party to which s/he directly relates or 

9 is potentially affected by to provide advice and/or feedback or to what s/he would do 

10 under a particular "what if scenario which could be very specific and relevant to the 

1 1 present circumstances of the user. In a novel variation of the method, the party to which 

12 the user relates is commissioned by the user to do or say something in order to receive a 

1 3 reaction or response. Depending upon how similar the situation actually is, the prompt 

14 could be very similar or partially relevant to the action contemplated by the user in 

15 his/her_--own analogous situation. Or the user may wish to collect feedback from 

16 analogous individuals in similar situations regarding several hypothetical actions 

1 7 (perhaps acted out among several different groups) resulting from decisions in order to 

18 enhance the user's information about the user(s) and the associated situation. 

19 Altematively, historical cases could include requests for valuable advice (as the 

20 experiences and the associated consequences are more likely to have been lived out). 

21 Typically it is most valuable (if a number of similar circumstances exist ) to collect 

22 multiple reactions/responses with which to form a statistical basis for the information. 

23 The biggest problem with the present system is collection of relevant and sufficiently 

24 detailed data relating to the relevant circumstances which must be identified and 

25 accessed. Psychotherapeutic (clinical) databases would be one source, as would be 

26 spoken or typed synchronous or asynchronous communications between individual as 

27 well as (the emerging) ubiquitous computing environments in which users' actions in 

28 spoken communications could be potentially monitored persistently off-line as well as 

29 on-line (for which SDFs privacy-enhanced profiling architecture would be particularly 

30 appropriate). Certainly, if the circumstances affecting the user (requestor) are of a long- 

31 term nature, periodic informational updates could be provided to him/her and/or the 
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1 mutual sharing and advising of the similar experience could be the basis for a two-way 

2 exchange of information between the parties on a short or long-term basis, 
3 

4 AUTOMATED LEARNING OF USER BEHAVIOR AS PART OF AN ENHANCED 

5 MEETING SCHEDULER AND CORRESPONDENCE FILTER 
6 

7 The present section provides application level extensions to similar inference- 

8 based rules recommendation and generation fianctionality such as is described in 

9 conjunction with the Smart Home description , smart office as well as the learning based 

10 methods disclosed within the section entitled "Resolution credentials"_in the access 

1 1 reachability introduction and profile disclosure between two or more parties as disclosed 
12 

1 3 In order to utilize LEIA as a user agent, which is integral and ubiquitous within 

14 the work environment, it is necessary to make its learning as seamless and invisible fi-om 

1 5 the user's perspective as possible. 
16 

17 The next level in applying the capabilities of LEIA is in being able to implicitly 

18 learn the context of the user's present temporal activities as well as establish relative 

19 priorities of the activities that the user (and others who intend to interface with the user) 

20 are engaged in and from the user's previous behavior to similar conditions automatically 

21 generate appropriateness functions (or rules) to automate the process of handling meeting 

22 schedules and filtering real time requests for correspondence with the user. It is possible 

23 to infer: 
24 

25 1 . The content profiles which are associated with the user's present activities. 
26 

27 2. (Often obviously) The nature of the user's present activities by observing what sorts of 

28 actions the user is engaged in, in the office. 
29 
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1 These content profiles and activity indicators may be passively observed by the 

2 user's present interactions (and timing thereof) with his/her PC, other smart appliances 

3 and data and voice communications which the user engages in (telephonically or from 

4 standard face to face dialogues) e.g., suggesting when the user is reading the morning 

5 news, checking phone messages, responding to e-mail, engaged in a particular project, 

6 etc. If these clues are not observable (or not positively identifiable) cyclical time 

7 dependent patterns may be used as implicit indicators of the user's present activities (see 

8 the above section entitled "Further Applications of LEIA"). Alternatively, the system 

9 could prompt a request of confirmation of the user's present activities and possibly on 

10 clues such as verbal regarding present and future established or changing activities and 

1 1 plans These same methods for utilizing time pattern elements which are used to predict 

12 the location of the user may be readily extended to predict or help to substantiate other 

13 statistical user variables relating to the types of actions and content related profiles 

14 characterizing the user's temporal behavior patterns. The following application of these 

1 5 techniques is used to enhance the automatic meeting scheduler: 
16 

1 7 The identity of the task or request, the activity and content attributes of the task or request 

18 profiles (target object profiles) may be developed utilizing the priority of that task 

1 9 relative to the user. This priority is estimated from the priority of the task/request (and its 

20 associated attributes) over other tasks/requests by the user. In order to better substantiate 

21 the relative importance to the user as inferred regarding these activities, the system 

22 should also display the scalar ratings which the user could adjust manually. 
23 

24 Nonetheless, there may be a degree of uncertainty in the user's intentions and 

25 LEIA's inference of the user's intentions. Moreover, unanticipated changeability by the 

26 user (uncertainty) may occur perhaps with increased frequency under certain variables 

27 like the identity of the requestor, the time of day, context of the users other present 

28 activities or when other meetings and obligations are pending which possess a relatively 

29 greater priority with the user (i.e., if they often occur spontaneously). In order to take this 

30 uncertainty factor into consideration, an overall statistical estimate may then be 

3 1 calculated taking into account the predicted statistical probability of each party ultimately 
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1 being available for the meeting. This serves the purpose of both refining the automatic 

2 scheduling process and informing would be visitors before hand as to the relative 

3 importance that their prospective meeting is (or increasingly becomes as the meeting time 

4 approaches) to the employee as well as the overall estimated degree of certainty of the 

5 meeting. This feature my be particularly useful for impromptu visitors where 

6 considerable uncertainty exists as to whether and to what degree the visitor is imposing 

7 upon the employee's schedule. 
8 

9 The temporal context of user behavior (using temporal time series analysis in 

10 conjunction with use of content analysis and user behavior assessment may be both 

11 important predictors as to whether a prospective meeting of a disclosed purpose is 

12 worthwhile for the employee based on present/future priorities and at which most likely 

13 times. By far, its most valuable application , however is in its ability to perform content 

14 analysis and user behavior assessment in real time in order to enhance LEIA's ability to 

1 5 determine whether and to what degree a would-be unannounced visitor or telephone or 

16 intercom callers unannounced contact is relevant to the employee*' present activities and 

17 if not to coordinate with the visitor's agent the time or times when it would be most 

18 relevant to the employees anticipated activities for example there are certain activities 

19 during which an employee doesn't wish to be usually disturbed, e.g. while reading the 

20 moming news, taking a coffee break, calling home, responding to an important email 

21 message, ten minutes before an important meeting. Often within an organization 

22 individuals will attempt to speak with one another as such , the intended duration affects 

23 priority as does the identity of the individual in the organization. Often this variable can 

24 be automatically predicted by LEIA . In such a situation, the relative priority of the 

25 user's preexisting priority tasks is weighted against the priority of the requested tasks 

26 prior to notification. The above application can be readily extended as well to phone 

27 calls, in which the user could be automatically prompted by LEIA to disclose his/her 

28 purpose of the call and/or his/her identity if necessary. This application would be a 

29 usefiil extension to the telephony variation of the email filter described in issued patent 

30 entitled "System and Method for Electronic Identification of Desirable Objects in which 

3 1 the above additional inputs about employees and visitors may provide additional useful 
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1 feedback in automatically determining the rules dictating how to best handle the call or 

2 forward it to a more appropriate employee on behalf of the employee. If there is a certain 

3 degree of uncertainty in the agent's priority determination or assessment of the task 

4 affected the most appropriate rule the employee may observe the rule just prior to 

5 automatic implementation^T-_Oor the action which it represents. The present value of the 

6 contextual employee activity assessment method as disclosed, if extended to advertising 

7 could be significant. For example the knowledge of the context of the user's present 

8 activities could determine what type and when an advertisement targeted to an employee, 

9 e.g. a decision maker will most likely elicit the best response (where the advertisement 

10 matches the professional interest profile) is an ad which corresponds with particular 

1 1 activities of the user ( e.g., which relate in some way with the ad/promotion. As 

12 discussed direct voice telephony and email dialogues may provide very useful clues 

1 3 (using natural language- techneiques}0 as to the particular profile interest summary which 

14 the user currently is experiencing at that moment both what types of user interactions and 

15 advertising is like to be most appropriate. Patent entitled System and Method for 

16 Customization Electronic Identification of Desirable Objects" -suggests a variation of 

1 7 virtual community creation in which the use of present dialogue of users is provided as a 

18 means for determining whether or and if so which ongoing meeting dialogues within the 

19 organization would be most relevant for the user to be introduced to-) either physically or 

20 virtually.. For example, virtual work groups (E. G. over industry wide extranets could 

21 use the above profiling approach in the creation of the group (by matching the 

22 employees' professional interest summaries with the project profile as well as in the 

23 dynamic ad hoce introductions of other experts who have a professional interest profile 

24 which matches the projects attributes such as human skill sets and proficiencies. There 

25 are also personality traits of users which may predispose a team towards success if an 

26 appropriate complementarity of these traits is exhibited within certain members of the 

27 team, e. g. the designers and engineers may be compliant, methodical and meticulous 

28 while the group leader may be impulsive results driven and flamboyant. Some members 

29 may be analytical and idea oriented, others more concerned with the end result and 

30 implementation strategy. Issued patent entitled "System and method for customized 

31 electronic identification of desirable objects" describes how queries may be routed to 
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1 knowledge domain experts in an organization environment .. LEI A may also identify and 

2 prioritize individuals who may be useful candidates to join into a meeting or address a 

3 specific request who are physically in proximity to the meeting location. 
4 

5 While the invention has been particularly shown and described with reference to a 

6 preferred embodiment, it will be understood by those skilled in the art that various changes 

7 in form and detail may be made therein without departing from the spirit and scope of the 

8 invention. 



Page 381 of 381 



